Yet another Bulletin Board (YaBB) 2.5.2 and earlier allow arbitrary
code execution through a combination of file uploads with
predictable locations and unsanitized use of the "guestlanguage"
cookie in file paths.

This problem is similar to CVE-2007-3295.


References:

http://www.yabbforum.com/community/YaBB.pl?num=1367511332

http://www.carsten-dalgaard.dk/cgi-bin/yabb2/YaBB.pl?num=1367511256


In Load.pl find:

CodeSelect All

	if ($yyCookies{'guestlanguage'} && !$FORM{'guestlang'} && $enable_guestlanguage) {
		$language = $guestLang = $yyCookies{'guestlanguage'};
	}
 



replace with:
CodeSelect All

    if (   $yyCookies{'guestlanguage'}
        && !$FORM{'guestlang'}
        && $enable_guestlanguage )
    {   opendir DIR, $langdir;
        my @langDir = readdir DIR;
        closedir DIR;
        @lang = ();
        foreach my $langitems ( sort { lc($a) cmp lc $b } @langDir ) {
            chomp $langitems;
            if (   ( $langitems ne q{.} )
                && ( $langitems ne q{..} )
                && ( $langitems ne q{.htaccess} )
                && ( $langitems ne q{index.html} ) )
            {
                push @lang, $langitems;
            }
        }

        $ccheck = 0;
        $clang = q{};
        for my $lng (@lang) {
           if ( $yyCookies{'guestlanguage'} eq $lng ) {
               $clang = $lng;
               $ccheck = 1; last;
           }
        }
        if ($ccheck == 1) {
		$language = $guestLang = $clang;
        }
	}
 



And I'm sure Carsten will have a much neater way of doing this.

While I can't confirm that the security vulnerability has ever been exploited against a YaBB Forum, I'm pretty sure that the original code allows for the possibility of bad stuff being passed into the $language variable - which is a very bad thing.

The new code compares what's in the guestlanguage cookie against the possible valid options - the Languages in the Language folder on the server.  If it's not a valid value, it doesn't get passed along. (At least that's how it should work.)