Page Index Toggle Pages: 1 Print
[Y2.1] YaBB Security Patch 06/12/07 (Read 3352 times)
Captain John
Ex Member


[Y2.1] YaBB Security Patch 06/12/07
Oct 11th, 2007 at 10:05pm
Print Post  
A vulnerability has been found in YaBB 2.1 that allows members to enter specific text into some profile form fields to gain administrator access to the forum.  Administrator rights, grants the member access to the forum controls.

This fix is not included in the YaBB 2.1 (Now available as YaBB 2.1.1) download at this time.  It must be applied to all new forum installations.

After installing the attached mod to your forum, users will not be able to use this vulnerability any more.  It converts these form fields to their HTML equivalent and removes line breaks, rather than writing them directly to the profile data (.vars) file.

To install the mod, please use the BoardMod program at www.BoadmOD.org, to apply the code changes automatically to the YaBB 2.1 source files.  Then upload the updated source files to your website on top of the original files.  You may also apply the code changes manually to your code if you wish to preserve existing mods.  The mod file can be opened in a text editor such as Notepad.

The attached zip files has the MOD already installed, Just Download and UnZip the file to your personal computer, Then Upload the files to the appropriate folders, over writing the existing files.

This patch was included in the code for Y2.2 and still is for newer versions.
« Last Edit: Jan 18th, 2010 at 9:51pm by »  

profile_register_patched.zip ( 22 KB | 202 Downloads )
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1
Print
 
  « Board Index ‹ Board  ^Top