Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Another YabbSE Remote Code Execution Vulnerability

Another YabbSE Remote Code Execution Vulnerability

by Nikola Strahija on January 25th, 2003 An attacker can combine his own server with the victim in such way that it would allow him/her to inlcude remote arbitrary code on the victim's server and run it with webserver permissions.


Homepage : http://www.yabbse.org
Vendor : informed
Mailed advisory: 24/01/02
Vender Response : None


----------------------
Affected Versions:
----------------------

1.5.1 and prior


----------------------
Vulnerability:
----------------------


YabbSE contains a file called News.php which is found in the root directory. For some
unkown reason the vendor did not place this file inside /Sources even though this file
is only intended to be used as an include. An attacker can combine his own server with
the victim in such way that it would allow him/her to inlcude remote arbitrary code on
the victim's server and run it with webserver permissions.

The attack works as following:

********
..

$dbcon = mysql_connect($db_server,$db_user,$db_passwd);
mysql_select_db ($db_name);

..

********

First of all we can see News.php is trying to connect to the sql database. We can see that
the variables above that contain the database information are not defined and may be
changed by the attacker. If the attacker installs yabbse on his/her server and allows remote
sql connection, then News.php will think the database has been loaded successfully and run
the following lines:

********
..

if ($template == null)
include("news_template.php");
else
{
if ($ext == null)
include($template.".php");
else
include($template.".".$ext);
}

..

********

Since template is never defined before, the attacker may inject into $template his/her own
remote file. News.php will include the attacker's code and run it on the server and give
the attacker the ability to execute arbitrary code on the server with webserver permissions.


----------------------
Solution:
----------------------

Please check the vendor's website for new patches.

As a temporary solution rename News.php to News.inc and wait for vendor's reply.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »