Synnergy Laboratories Advisory SLA-2000-13 NAME YABB 9.1.2000 NULL-byte vulnerability AFFECTED Windows Linux UNIX SYNOPSIS Synnergy Labs has discovered a vulnerability in YABB formum that allows a remote user to view any arbitrary file as the UID of the HTTPD by appending a NULL byte using the CGI script options. DESCRIPTION YaBB is the internet's second Open Source Bulletin Board system. A Bulletin Board is software to add interactivity to your site. Someone can post a question, which other visitors can answer. A bulletin board keeps your visitors coming back This product can be downloaded from http://www.yabb.org 1) When YaBB.pl is called with the variable $display and $num (this is the variable that handles the file) it opens a file without any security check for reading, allthough the script that is responsible for handling the file, appends a .txt extension, a user is able to force the script to open any file he wants by adding %00 to the end of the request, thus forcing the script to ommit the .txt extension. The problem is located within the Display.pl script: sub Display { $viewnum = $INFO{'num'}; open(FILE, "$vardir/membergroups.txt"); &lock(FILE); @membergroups = ; &unlock(FILE); close(FILE); open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'} Note that the program is subject to more Vulnerabities as most of the scripts that handle user input don't do any security checks (even the basic ones). For instance: http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display& num=../../../../../../../../etc/passwd%00 .. will open the passwd file. SOLUTION The vendors have been informed of the bug. Wait for the next patched version of YaBB to be released. AUTHOR pestilence @ synnergy.net DISCLAIMER Synnergy Laboratories may not be held liable for the use or potential effects of these programs or advisories, nor the content contained within. Use them at your own risk. COPYRIGHT Synnergy Laboratories - www.synnergy.net (c) 1998-2000