In association with heise online

14 June 2007, 10:19

Security vulnerability in YaBB forum software

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security services provider iDefense has reported a vulnerability in the Yet another Bulletin Board (YaBB) forum software. The scripts for registering a user and changing a user's profile fail to check some user-provided entries correctly. As a result, an attacker can gain administrator access to YaBB forums without a valid login and, for example, modify templates - using which, commands can be issued which are executed with the web server's privileges.

The developers have not yet released a new version of the software, but have developed a patch. They recommend incorporating the patch into the YaBB source code using the BoardMod application and then overwriting the affected register.pl and profile.pl files on the server. Experienced users can also incorporate the patch by hand. Administrators should install the patch as soon as possible to avoid the risk of their forum being defaced or the web server being compromised.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-733061
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit