Page Index Toggle Pages: 1 Send TopicPrint
Normal Topic Guardian Vulnerability - all 2x versions (Read 5565 times)
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Guardian Vulnerability - all 2x versions
Jun 21st, 2014 at 3:04pm
Print Post  
From YaBB Forum:

YaBBforum.com and the YaBB development team have been at work on revisions and improvements to site security and performance.  During our analysis, we believe we have located a possible minor security vulnerability.   

THIS ONLY AFFECTS THE GUARDIAN - so if you do not have it activated, it is not an issue.  The other banning tools for users, IP's, e-mails are not affected as they do not use the .htaccess file in the YaBB root; they use YaBB data files.

The Vulnerability: It may be possible for third parties, by way of specially crafted URLs, to remove selected IPs from the .htaccess files maintained by YaBB's The Guardian if it is enabled in the Admin Center.

Affected Versions: YaBB 2.0 - 2.52

What may be affected: - the .htaccess file that resides in the 'YaBB root' (wherever YaBB.pl is located on a server)

Security impact: - traffic only. Previously Guardian blocked IP's on YaBB files may be allowed to submit http: requests (a .htaccess blocked URL would normally get a 403 error).  This DOES NOT affect how YaBB authenticates users. 

Limitations: - the attacker would need to know that the IP exists in the Yabb files Deny from.. section of the .htaccess file. Only submitted URL's with 'yabb' requests in the cgi-bin/yabb2/ folder and below are affected.

Mitigations; - You could always manually move the Deny From IP's & URLS into the top section of the .htaccess file.

Method: - Although the Guardian script has been refactored over time, this vulnerability has stayed in place. A 'remove' action is part of the options/actions that could be performed without Admin or GM use of the Admin Center.  For the Guardian to work automatically, it works as it it were a user - by submitting a request to itself.
Note: The 'remove' action in Guardian is not called anywhere within YaBB itself that we can find. Therefore it can ONLY be called by a specially formed query string.

Code fix:
In Sources/Guardian.pl find:   
Code (Perl)
Select All
$action eq "remove" 


And replace the entire line it's in with:   
Code (Perl)
Select All
if ( $use_htaccess && $action eq 'add' ) { 



The actual line has changed over time and so has several variations, but looking for that bit of code will find the line with the vulnerability.

We do not know by whom or why this method was added, and there may be a completely logical explanation (including that whomever added it thought it was needed for the Guardian to work properly).  We have tested out the revised code on yabbforum.com and it works correctly.

New Releases:
YaBB 2.6 now contains an improved version of the Guardian that does not contain this option AND should improve performance in board with large numbers of Guardian blocked IPs.

Many Thanks to all YaBB Supporters...

Cool
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: 1
Send TopicPrint