Yet another Bulletin Board (YaBB) 2.5.2 and earlier allow arbitrary
code execution through a combination of file uploads with
predictable locations and unsanitized use of the "guestlanguage"
cookie in file paths.
This problem is similar to CVE-2007-3295.
References:
http://www.yabbforum.com/community/YaBB.pl?num=1367511332
http://www.carsten-dalgaard.dk/cgi-bin/yabb2/YaBB.pl?num=1367511256
In Load.pl find:
CodeSelect All
if ($yyCookies{'guestlanguage'} && !$FORM{'guestlang'} && $enable_guestlanguage) {
$language = $guestLang = $yyCookies{'guestlanguage'};
}
replace with:
CodeSelect All
if ( $yyCookies{'guestlanguage'}
&& !$FORM{'guestlang'}
&& $enable_guestlanguage )
{ opendir DIR, $langdir;
my @langDir = readdir DIR;
closedir DIR;
@lang = ();
foreach my $langitems ( sort { lc($a) cmp lc $b } @langDir ) {
chomp $langitems;
if ( ( $langitems ne q{.} )
&& ( $langitems ne q{..} )
&& ( $langitems ne q{.htaccess} )
&& ( $langitems ne q{index.html} ) )
{
push @lang, $langitems;
}
}
$ccheck = 0;
$clang = q{};
for my $lng (@lang) {
if ( $yyCookies{'guestlanguage'} eq $lng ) {
$clang = $lng;
$ccheck = 1; last;
}
}
if ($ccheck == 1) {
$language = $guestLang = $clang;
}
}
And I'm sure Carsten will have a much neater way of doing this.
While I can't confirm that the security vulnerability has ever been exploited against a YaBB Forum, I'm pretty sure that the original code allows for the possibility of bad stuff being passed into the $language variable - which is a very bad thing.
The new code compares what's in the guestlanguage cookie against the possible valid options - the Languages in the Language folder on the server. If it's not a valid value, it doesn't get passed along. (At least that's how it should work.)
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum