Page Index Toggle Pages: 1
Topic Tools
Sticky Topic Attachments security issue (Read 1,994 times)
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,388
Location: Earth

YaBB 2.6.1
Attachments security issue
May 2nd, 2013 at 4:15pm
Post Tools
This has been brought to our attention by John Lightsey. There is a reported vulnerability involving text file (*.txt) attachments where Perl code in the file can actually be run by the server rather than just looked at through a browser.

The current short-term recommendation is for those YaBB forums that allow attachments - go into Admin Center -> Advanced Settings -> Attachments  and 1, make sure you have 'Enable File Extension check' turned ON and 2, remove the txt from the list of allowed extensions.

There are free file zipping programs out there and zipped text files should not create this vulnerability.)

If there's a web security guru out there who would like to look into this so we can properly fix this vulnerability, please let us know.

Edited:
The security hole takes advantage of an un-sanitized browser cookie that allows a hacker to tell YaBB to access an attachment and open it.
« Last Edit: May 4th, 2013 at 5:39pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,684
Location: Los Angeles

YaBB 2.5
Re: Attachments security issue
Reply #1 - May 2nd, 2013 at 4:33pm
Post Tools
Good to know. Smiley
  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,388
Location: Earth

YaBB 2.6.1
Re: Attachments security issue
Reply #2 - May 4th, 2013 at 4:45am
Post Tools
A fix that should work for 2.5AE and 2.5.2 can be downloaded from the SVN at : Load.pl

This should close the security hole by rejecting any guest language cookies that lists anything that isn't a valid language for that forum.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,388
Location: Earth

YaBB 2.6.1
Re: Attachments security issue
Reply #3 - May 4th, 2013 at 3:28pm
Post Tools
And Carsten has posted an elegant bit of code that deals with this problem:http://www.carsten-dalgaard.dk/cgi-bin/yabb2/YaBB.pl?num=1367511256
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,388
Location: Earth

YaBB 2.6.1
Re: Attachments security issue
Reply #4 - May 5th, 2013 at 11:09pm
Post Tools
This issue has been assigned CVE-2013-2057 in the 'Common Vulnerabilities and Exposures' database.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools
 
  « Board Index ‹ Board  ^Top