Page Index Toggle Pages: 1
Topic Tools
Normal Topic Sanitizing Input in Yabb (Read 1,978 times)
YaBB Newcomer

Posts: 13
Sanitizing Input in Yabb
Mar 18th, 2010 at 4:40am
Post Tools
Yabb has a security vulnerability that allows hackers to modify HTTP response headers. This should be fixed if possible in the next release.

All inputs (e.g. parameters in URLs) should be stripped from the following characters.

These characters have no practical use in the parameters except for hacking...

This issue came up due to a failing McAfee security scan (e.g. PCI).
Please see post for context and more details.

Thanks for a great forum!

Cheeers, Marcello
« Last Edit: Mar 18th, 2010 at 4:40am by marcello »  
Back to top
IP Logged
Matt Siegman
YaBB Legends (Inactive)

Posts: 3,380
Location: Wichita, KS
Re: Sanitizing Input in Yabb
Reply #1 - Mar 20th, 2010 at 11:27pm
Post Tools
As noted in the other thread, I'm just not quite 'getting' this one.

-- Matt Siegman 8) Wish List
Back to top
IP Logged
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team

Posts: 3,897
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Sanitizing Input in Yabb
Reply #2 - Mar 21st, 2010 at 6:13pm
Post Tools

I 'think' the vulnerability is limited to the 'address line' URL parameter pass. I don't think it applies to form input.

Secondarily, "I" interpret the McAfee results to mean that, at the moment, the file will accept a mangled URL that includes one (or more) of those characters and attempt to process it.  Meaning, I suppose, that by allowing those characters, a 'free' string can be injected (one that includes an 'execution' character. (the genuine input is cut off)   Shocked 

I suppose the correct thing to do is get a definition from McAfee.


Remember, they are pointing out a vulnerability NOT an exploit
« Last Edit: Mar 21st, 2010 at 6:17pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
Page Index Toggle Pages: 1
Topic Tools
  « Board Index ‹ Board  ^Top