Vulnerability

    Yabb

Affected

    YaBB 1.9.2000

Description

    Pestilence found following.   YaBB is the  internet's second  Open
    Source Bulletin  Board system.   A Bulletin  Board is  software to
    add interactivity  to your  site.   Someone can  post a  question,
    which  other  visitors  can  answer.  A  bulletin board keeps your
    visitors coming back.

    When  YaBB.pl  is  called  with  the  variable $display  and  $num
    (this  is  the  variable  that  handles  the file) it opens a file
    without any security check for reading, allthough the script  that
    is responsible for handling the file, appends a .txt extension,  a
    user is  able to  force the  script to  open any  file he wants by
    adding %00 to the end of  the request, thus forcing the script  to
    ommit  the  .txt  extension.   The  problem  is located within the
    Display.pl script:

        sub Display {
            $viewnum = $INFO{'num'};
            open(FILE, "$vardir/membergroups.txt");
            &lock(FILE);
            @membergroups = <FILE>;
            &unlock(FILE);
            close(FILE);
            open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}

    Note that the program is subject to more Vulnerabities as most  of
    the scripts that  handle user input  don't do any  security checks
    (even the basic ones).

    For instance:

        http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00

    will open the passwd file.

Solution

    The vendors  have been  informed of  the bug.   Wait for  the next
    patched version of YaBB to be released.