YaBB 2.5.2 and earlier arbitrary code execution

2013.05.05
Credit: John Lightsey
Risk: High
Local: No
Remote: Yes
CWE: CWE-434


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

Yet another Bulletin Board (YaBB) 2.5.2 and earlier allow arbitrary code execution through a combination of file uploads with predictable locations and unsanitized use of the "guestlanguage" cookie in file paths. This problem is similar to CVE-2007-3295. References: http://www.yabbforum.com/community/YaBB.pl?num=1367511332 http://www.carsten-dalgaard.dk/cgi-bin/yabb2/YaBB.pl?num=1367511256 In Load.pl find: CodeSelect All if ($yyCookies{'guestlanguage'} && !$FORM{'guestlang'} && $enable_guestlanguage) { $language = $guestLang = $yyCookies{'guestlanguage'}; } replace with: CodeSelect All if ( $yyCookies{'guestlanguage'} && !$FORM{'guestlang'} && $enable_guestlanguage ) { opendir DIR, $langdir; my @langDir = readdir DIR; closedir DIR; @lang = (); foreach my $langitems ( sort { lc($a) cmp lc $b } @langDir ) { chomp $langitems; if ( ( $langitems ne q{.} ) && ( $langitems ne q{..} ) && ( $langitems ne q{.htaccess} ) && ( $langitems ne q{index.html} ) ) { push @lang, $langitems; } } $ccheck = 0; $clang = q{}; for my $lng (@lang) { if ( $yyCookies{'guestlanguage'} eq $lng ) { $clang = $lng; $ccheck = 1; last; } } if ($ccheck == 1) { $language = $guestLang = $clang; } } And I'm sure Carsten will have a much neater way of doing this. While I can't confirm that the security vulnerability has ever been exploited against a YaBB Forum, I'm pretty sure that the original code allows for the possibility of bad stuff being passed into the $language variable - which is a very bad thing. The new code compares what's in the guestlanguage cookie against the possible valid options - the Languages in the Language folder on the server. If it's not a valid value, it doesn't get passed along. (At least that's how it should work.)

Referencje:

http://www.carsten-dalgaard.dk/cgi-bin/yabb2/YaBB.pl?num=1367511256
http://seclists.org/oss-sec/2013/q2/279


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top