[17549] in bugtraq
Insecure input balidation in YaBB Search.pl
daemon@ATHENA.MIT.EDU (rpc)
Tue Nov 7 16:08:16 2000
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Message-ID: <20001107190110.DBAB224D99B@lists.securityfocus.com>
Date: Tue, 7 Nov 2000 11:01:46 GMT
Reply-To: rpc <h@ckz.org>
From: rpc <h@ckz.org>
X-To: "[ K o S a K ]" <kosak@EPSYLON.ORG>, vuln-dev@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <005701c04841$7541e220$1343f5d5@chello.fr>
Hi Everybody,
Kosak reported this problem to vuln-dev last night. I downloaded the script
and did some testing.
There is an input validation problem with the 'catsearch' field, which gets
interpolated in an open statement:
open(FILE, "$boardsdir/$cattosearch") || &fatal_error("$txt{'23'}
$currentboard.txt");
where $cattosearch is a localized $catsearch, assigned:
$catsearch = $FORM{'catsearch'};
An attacker could easily create a malicious html form with a catsearch such as:
./../../../../../usr/bin/touch%20/tmp/foo|
The amount of directory traversal will vary from site to site, depending on
their YaBB setup.
--rpc <h@ckz.org>
On Mon, 6 Nov 2000 23:32:33 +0100, [ K o S a K ] said:
> Hi,
>
> I heard it could be possible to execute arbitrary cmd accross a script
> called search.pl from the YaBB package.
> I know that lots of web site has been defaced by this exploit, but i haven't
> found it yet.
> It exploits an insecure input in the script.
> Even in the latest version must be vulnerable.
>
> Has someone more informations about this ?
>
> Thanks a lot.
>
>
> KoSaK
> www.epsylon.org
> French Staff
>
