YaBB Community and Support Forum
YaBB Home About YaBB Download YaBB YaBB Support Customize Your Forum Development Contribute to the Project
  Welcome, Guest. Please Login or Register


 
Page Index Toggle Pages: 1
Topic Tools
 
Attachments security issue (Read 1,175 times)
 May 2nd, 2013 at 4:15pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,859
Earth


YaBB 2.5
Attachments security issue
This has been brought to our attention by John Lightsey. There is a reported vulnerability involving text file (*.txt) attachments where Perl code in the file can actually be run by the server rather than just looked at through a browser.

The current short-term recommendation is for those YaBB forums that allow attachments - go into Admin Center -> Advanced Settings -> Attachments  and 1, make sure you have 'Enable File Extension check' turned ON and 2, remove the txt from the list of allowed extensions.

There are free file zipping programs out there and zipped text files should not create this vulnerability.)

If there's a web security guru out there who would like to look into this so we can properly fix this vulnerability, please let us know.

Edited:
The security hole takes advantage of an un-sanitized browser cookie that allows a hacker to tell YaBB to access an attachment and open it.
« Last Edit: May 4th, 2013 at 5:39pm by Dandello »  
WWW  
IP Logged  
 Reply #1 - May 2nd, 2013 at 4:33pm
There are no actions to perform.  

Bill Myers 
God Member
Beta Testers
*****
Offline
Posts: 1,482
Los Angeles


YaBB 2.4
Re: Attachments security issue
Good to know. Smiley
 
Morning, noon, or night, have a great one! ...
WWW BillHMyers  
IP Logged  
 Reply #2 - May 4th, 2013 at 4:45am
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,859
Earth


YaBB 2.5
Re: Attachments security issue
A fix that should work for 2.5AE and 2.5.2 can be downloaded from the SVN at : Load.pl

This should close the security hole by rejecting any guest language cookies that lists anything that isn't a valid language for that forum.
 
WWW  
IP Logged  
 Reply #3 - May 4th, 2013 at 3:28pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,859
Earth


YaBB 2.5
Re: Attachments security issue
And Carsten has posted an elegant bit of code that deals with this problem:http://www.carsten-dalgaard.dk/cgi-bin/yabb2/YaBB.pl?num=1367511256
 
WWW  
IP Logged  
 Reply #4 - May 5th, 2013 at 11:09pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,859
Earth


YaBB 2.5
Re: Attachments security issue
This issue has been assigned CVE-2013-2057 in the 'Common Vulnerabilities and Exposures' database.
 
WWW  
IP Logged  
Page Index Toggle Pages: 1
Topic Tools
 

Get Yet another Bulletin Board at SourceForge.net. Fast, secure and Free Open Source software downloads Support This Project BoardMod - YaBB features and templates YaBB Codex - support on installation and usage YaBB Toolbar for your browser

YaBB Facebook Group Page

Vulnerability Scanner

Valid RSS Valid XHTML Valid CSS Powered by Perl
YaBB Chat and Support Community » Powered by YaBB 3.0 Beta!
YaBB Forum Software © 2000-2011. All Rights Reserved.