Users login

Create an account »


Users login

Home » Hacking News » YaBB.cgi vulnerability

YaBB.cgi vulnerability

by Nikola Strahija on June 22nd, 2002 problem: Cross-Site Scripting affected: YaBB 1 Gold SP1 and earlier versions explaination: When accessing a thread that doesn't exist, YaBB will give an error about the board not existing. Example: &action=display&num=NULL

This will trigger an error in the CGI script and output the
This topic doesn't exist on this board. NULL : 96.

The problem here should be fairly obvious. By crafting
JavaScript code in place of NULL, a malicious user can trick
someone into running the code of their choice, since YaBB
doesn't filter user input/script output.
risk: Due to the simplicity of the attack and the number of sites
that run YaBB, the risk is classified as Medium to High.
status: Vendor was notified 05/14/02.
fix: Upgrade to a newer version of YaBB

+-------- -- -
+ credits
+----- -- -
Bug was found by methodic of AngryPacket security group.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »