Page Index Toggle Pages: 1 ReplyAdd Poll Send Topic
Normal Topic Guardian Vulnerability - all 2x versions (Read 1741 times)
Paste Member Name in Quick Reply Box Dandello
Forum Administrator
YaBB Modder

I love YaBB 2.7!

Posts: 2166
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Mood: Annoyed
Zodiac sign: Virgo
Guardian Vulnerability - all 2x versions
Jun 21st, 2014 at 3:04pm
Mark & QuoteQuote  
From YaBB Forum: and the YaBB development team have been at work on revisions and improvements to site security and performance.  During our analysis, we believe we have located a possible minor security vulnerability. 

THIS ONLY AFFECTS THE GUARDIAN - so if you do not have it activated, it is not an issue.  The other banning tools for users, IP's, e-mails are not affected as they do not use the .htaccess file in the YaBB root; they use YaBB data files.

The Vulnerability: It may be possible for third parties, by way of specially crafted URLs, to remove selected IPs from the .htaccess files maintained by YaBB's The Guardian if it is enabled in the Admin Center.

Affected Versions: YaBB 2.0 - 2.52

What may be affected: - the .htaccess file that resides in the 'YaBB root' (wherever is located on a server)

Security impact: - traffic only. Previously Guardian blocked IP's on YaBB files may be allowed to submit http: requests (a .htaccess blocked URL would normally get a 403 error).  This DOES NOT affect how YaBB authenticates users.

Limitations: - the attacker would need to know that the IP exists in the Yabb files Deny from.. section of the .htaccess file. Only submitted URL's with 'yabb' requests in the cgi-bin/yabb2/ folder and below are affected.

Mitigations; - You could always manually move the Deny From IP's & URLS into the top section of the .htaccess file.

Method: - Although the Guardian script has been refactored over time, this vulnerability has stayed in place. A 'remove' action is part of the options/actions that could be performed without Admin or GM use of the Admin Center.  For the Guardian to work automatically, it works as it it were a user - by submitting a request to itself.
Note: The 'remove' action in Guardian is not called anywhere within YaBB itself that we can find. Therefore it can ONLY be called by a specially formed query string.

Code fix:
In Sources/ find:   
Code (Perl)
Select All
$action eq "remove" 

And replace the entire line it's in with:   
Code (Perl)
Select All
if ( $use_htaccess && $action eq 'add' ) { 

The actual line has changed over time and so has several variations, but looking for that bit of code will find the line with the vulnerability.

We do not know by whom or why this method was added, and there may be a completely logical explanation (including that whomever added it thought it was needed for the Guardian to work properly).  We have tested out the revised code on and it works correctly.

New Releases:
YaBB 2.6 now contains an improved version of the Guardian that does not contain this option AND should improve performance in board with large numbers of Guardian blocked IPs.

Many Thanks to all YaBB Supporters...


Perfection is not possible. Excellence, however, is excellent.
Back to top
IP Logged
Page Index Toggle Pages: 1
ReplyAdd Poll Send Topic
Bookmarks: Digg Facebook Google LinkedIn reddit Twitter Yahoo
Guardian Vulnerability - all 2x versions

Please type the characters exactly as they appear in the image,
without the first 2 and last 2 characters.
The characters must be typed in the same order,
and they are case-sensitive.
Open Preview Preview

You can resize the textbox by dragging the right or bottom border.
Off Topic Comment Insert Spoiler
Insert Hyperlink Insert FTP Link Insert Image Insert E-mail Insert Media Insert Table Insert Table Row Insert Table Column Insert Horizontal Rule Insert Teletype Insert Code Insert Quote Edited Superscript Subscript Insert List /me - my name Insert Marquee Insert Timestamp No Parse
Bold Italicized Underline Insert Strikethrough Highlight
Change Text Color
Insert Preformatted Text Left Align Centered Right Align

Max 5000 characters. Remaining characters:
Text size: %
More Smilies
View All Smilies
Collapse additional features Collapse/Expand additional features Smiley Wink Cheesy Grin Angry Sad Shocked Cool Huh Roll Eyes Tongue Embarrassed Lips Sealed Undecided Kiss Cry