Insecure input balidation in YaBB Search.pl

[rpc <h () ckz org>]

Hi Everybody,

  Kosak reported this problem to vuln-dev last night.  I downloaded the script
and did some testing.

There is an input validation problem with the 'catsearch' field, which gets
interpolated in an open statement:

open(FILE, "$boardsdir/$cattosearch") || &fatal_error("$txt{'23'}
$currentboard.txt");

where $cattosearch is a localized $catsearch, assigned:
$catsearch = $FORM{'catsearch'};

An attacker could easily create a malicious html form with a catsearch such as:
./../../../../../usr/bin/touch%20/tmp/foo|

The amount of directory traversal will vary from site to site, depending on
their YaBB setup.

--rpc <h () ckz org>

On Mon, 6 Nov 2000 23:32:33 +0100, [ K o S a K ] said:

> Hi,
>
>  I heard it could be possible to execute arbitrary cmd accross a script
>  called search.pl from the YaBB package.
>  I know that lots of web site has been defaced by this exploit, but i haven't
>  found it yet.
>  It exploits an insecure input in the script.
>  Even in the latest version must be vulnerable.
>
>  Has someone more informations about this ?
>
>  Thanks a lot.
>
>
>  KoSaK
>  www.epsylon.org
>  French Staff