TUCoPS :: Web BBS :: Frequently Exploited :: web5480.htm

YaBB Cross-Site Scripting
24th Jun 2002 [SBWID-5480]
COMMAND

	YaBB Cross-Site Scripting

SYSTEMS AFFECTED

	YaBB 1 Gold SP1 and earlier versions

PROBLEM

	In methodic [http://methodic.angrypacket.com] advisory :
	

	http://sec.angrypacket.com/advisories/0003_AP.yabb.txt

	

	When accessing a thread that doesn\'t exist, YaBB  will  give  an  error
	about the board not existing. Example:
	

	http://some.site.com/cgi-bin/YaBB/YaBB.cgi?board=BOARD&action=display&num=NULL

	

	This will trigger an error in the CGI script and output the following:
	

	This topic doesn\'t exist on this board. NULL : 96.

	

	The problem here should be fairly obvious. By crafting  JavaScript  code
	in place of NULL, a malicious user can trick someone  into  running  the
	code of their choice,  since  YaBB  doesn\'t  filter  user  input/script
	output.
	

	 Exploit :

	 =========

	

	http://some.site.com/cgi-bin/YaBB/YaBB.cgi?board=BOARD&action=display&num=<script>alert()</script>

	

SOLUTION

	Upgrade to a newer version of YaBB [http://www.yabbforum.com]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH