YabbSE Remote Code Execution 2 Vulnerability ( By Mindwarper :: mindwarper@hush.com :: ) <------- -------> ---------------------- Vendor Information: ---------------------- Homepage : http://www.yabbse.org Vendor : informed Mailed advisory: 24/01/02 Vender Response : None ---------------------- Affected Versions: ---------------------- 1.5.1 and prior ---------------------- Vulnerability: ---------------------- YabbSE contains a file called News.php which is found in the root directory. For some unkown reason the vendor did not place this file inside /Sources even though this file is only intended to be used as an include. An attacker can combine his own server with the victim in such way that it would allow him/her to inlcude remote arbitrary code on the victim's server and run it with webserver permissions. The attack works as following: ******** .. $dbcon = mysql_connect($db_server,$db_user,$db_passwd); mysql_select_db ($db_name); .. ******** First of all we can see News.php is trying to connect to the sql database. We can see that the variables above that contain the database information are not defined and may be changed by the attacker. If the attacker installs yabbse on his/her server and allows remote sql connection, then News.php will think the database has been loaded successfully and run the following lines: ******** .. if ($template == null) include("news_template.php"); else { if ($ext == null) include($template.".php"); else include($template.".".$ext); } .. ******** Since template is never defined before, the attacker may inject into $template his/her own remote file. News.php will include the attacker's code and run it on the server and give the attacker the ability to execute arbitrary code on the server with webserver permissions. ---------------------- Solution: ---------------------- Please check the vendor's website for new patches. As a temporary solution rename News.php to News.inc and wait for vendor's reply. ---------------------- Greetz: ---------------------- daemorhedron, Hawkje, Truckle, Cyon, Include <------- -------> Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
