https://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?board=security en-us YaBB Development & Mods Wed, 8 May 2024 04:03:36 GMT http://blogs.law.harvard.edu/tech/rss YaBB 2.7.00 Revision: 2044 30 https://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?num=1410968247 YaBB Development & Mods/security https://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?num=1410968247 bill@myersproductions.com (Bill Myers) Sun, 5 Oct 2014 21:38:11 GMT <a href="https://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?num=1410968247/37#37">Monni wrote</a> on Oct 5^th, 2014 at 8:57pm:<br /><div id="0D292B210C4000">But without people like me, some projects just die slowly because there is no-one to push people to the limits. </div><!--0D292B210C4000--><br />I definitely agree with that because that <i>is indeed</i> what happens. I also feel the same as Red in liking that a register error can instead be a redirect to a forum's registration page, or better yet to explain it, an informational non-error message that links to the registration form whenever an admin enables that option.<br /><br />Ironically, a redirect would solve the problem of producing entries onto the error log, which helps to address the subject of this topic. <img rel=";&#45;&#41;" src="https://yabbforumsoftware.com/yabbfiles/Smilies/cool.gif" alt="Cool" title="Cool" /><br /><br />On a related note outside of our forum, I've employed redirects for spam-bots or hot linkers that have generated many thousands of dollars over the years, i.e., they bring our site fresh traffic, which is often targeted to our niche audience, and that's when the ratio of hits per sale becomes very beneficial.<br /><br /> https://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?num=1411768217 YaBB Development & Mods/security https://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?num=1411768217 no-email@yabbforumsoftware.com (Dandello) Sat, 27 Sep 2014 06:26:21 GMT If YaBBForum is in Maintenance it's because JonB is running some tests to determine if there are any potential risks to YaBB from this exploit. https://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?num=1403363083 YaBB Development & Mods/security https://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?num=1403363083 no-email@yabbforumsoftware.com (Dandello) Sat, 21 Jun 2014 15:04:43 GMT <b><span>From YaBB Forum</span><!--size--></b>:<br /><br />YaBBforum.com and the YaBB development team have been at work on revisions and improvements to site security and performance.  During our analysis, we believe we have located a possible minor security vulnerability.  <br /><br /><i>THIS ONLY AFFECTS THE GUARDIAN</i> - so if you do not have it activated, it is not an issue.  <span>The other banning tools for users, IP's, e-mails are not affected as they do not use the .htaccess file in the YaBB root; they use YaBB data files.</span><!--underline--><br /><br /><b>The Vulnerability:</b> It may be possible for third parties, by way of specially crafted URLs, to remove selected IPs from the .htaccess files maintained by YaBB's The Guardian if it is enabled in the Admin Center.<br /><br /><b>Affected Versions:</b> YaBB 2.0 - 2.52<br /><br /><b>What may be affected:</b> - the .htaccess file that resides in the 'YaBB root' (wherever YaBB.pl is located on a server)<br /><br /><b>Security impact:</b> - traffic only. Previously Guardian blocked IP's on YaBB files may be allowed to submit http: requests (a .htaccess blocked URL would normally get a 403 error).  <span>This DOES NOT affect how YaBB authenticates users.</span><!--underline--> <br /><br /><b>Limitations:</b> - the attacker would need to know that the IP exists in the Yabb files Deny from.. section of the .htaccess file. Only submitted URL's with 'yabb' requests in the cgi-bin/yabb2/ folder and below are affected.<br /><br /><b>Mitigations;</b> - You could always manually move the Deny From IP's & URLS into the top section of the .htaccess file.<br /><br /><b>Method:</b> - Although the Guardian script has been refactored over time, this vulnerability has stayed in place. A 'remove' action is part of the options/actions that could be performed without Admin or GM use of the Admin Center.  For the Guardian to work automatically, it works as it it were a user - by submitting a request to itself.<br />Note: The 'remove' action in Guardian is not called anywhere within YaBB itself that we can find. Therefore it can ONLY be called by a specially formed query string.<br /><br />Code fix:<br />In Sources/Guardian.pl find:     ***Go to Post to see Code*** <br />And replace <b>the entire line it's in</b> with:     ***Go to Post to see Code*** <br /><br />The actual line has changed over time and so has several variations, but looking for that bit of code will find the line with the vulnerability.<br /><br />We do not know by whom or why this method was added, and there may be a completely logical explanation (including that whomever added it thought it was needed for the Guardian to work properly).  We have tested out the revised code on yabbforum.com and it works correctly.<br /><br /><b>New Releases:</b><br />YaBB 2.6 now contains an improved version of the Guardian that does not contain this option AND should improve performance in board with large numbers of Guardian blocked IPs.<br /><br />Many Thanks to all YaBB Supporters...<br /><br /> <img rel=";&#45;&#41;" src="https://yabbforumsoftware.com/yabbfiles/Smilies/cool.gif" alt="Cool" title="Cool" />