Security Fix from November 11, 2002
2.0
Important: Use this mod to remove a newly found vulnerability that could allow malicious users to execute any function in YaBB, including one that would modify their profile to become an Administrator!
This mod makes sure that no variables from the url query string go into the $FORM array of variables passed in from the actual form. It also, adds a new "Find Forum Administrators" function to your Admin center. Please use this function to check your site only has its valid administrators.
Instructions:
1. Apply the mod.
2. Use the Find Forum Administrators function in your admin center to find any unwanted admins, and then delete them.
Version History:
v2. Took out need for findadmins.pl and built in "Find Forum Admins" dunction into yabb itself
v1. Initial Release
Thanks ot all of us who worked so hard on fixing this flaw.
The Yabb Team
www.yabbforum.com
Sources/Subs.pl
if($ENV{QUERY_STRING} =~ m~;~) { @pairs = split(/;/, $ENV{QUERY_STRING}); }
my $etest = '';
}
my (@keylist) = sort($query->param());
if ($etest eq '') { $etest .= $name."=".$value; }
else { $etest .= "&" .$name."=".$value; }
}
my (@keylist) = $query->param();
my $qtest = '';
$FORM{$key} = $value;
}
$FORM{$key} = $value;
if ($qtest eq '') { $qtest .= $key."=".$value; }
else { $qtest .= "&" .$key."=".$value; }
}
if (lc($qtest) eq lc($etest)) {
foreach $key (@keylist) {
undef $FORM{$key};
}
}
Sources/Admin.pl
- $txt{'202'}
- $txt{'fix1'}
1;
sub findadmins{
$yymain .=qq~
$txt{'684'}
$txt{'35'}
$txt{'69'}
$txt{'44'}
~;
fopen(FILE, "$memberdir/memberlist.txt");
@memberlist = ;
fclose(FILE);
for ($a = 0; $a < @memberlist; $a++) {
chomp $memberlist[$a];
$membername = lc $memberlist[$a];
if( fopen(FILE2, "$memberdir/$memberlist[$a].dat") ) {
# Load users and check for Admin status
if( !$yyUDLoaded{$memberlist[$a]} && -e("$memberdir/$memberlist[$a].dat") ) {
# If user is not in memory, s/he must be loaded.
&LoadUser($memberlist[$a]);
if($userprofile{$memberlist[$a]}->[7] eq "Administrator") { $yymain .= qq~