Title: YaBB Arbitrary File Read Vulnerability
Severity: HIGH
Description:
YaBB.pl, a web-based bulletin board script, stores board postings in numbered text files. The numbered file name is specified in the call to YaBB.pl in the variable num=<file>. Before retrieving the file, YaBB will append a .txt extension to <file>.
Due to input validation problems in YaBB, relative paths can be specified in <file>. This includes ../ style paths.
Additionally, <file> does not need to be numerical, and the .txt extension can be avoided by appending %00 to <file>.
By exploiting these problems in a single request, a malicious user can view any file that the webserver has access to.
Affected Products:
- YaBB YaBB 9.1.2000
References:
- YaBB: YaBB Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
