- -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                  - -- ------------------------- -- -

+--------------------- -- -
+ advisory information
+------------------ -- -
author:       methodic <methodic@bigunz.angrypacket.com>
release date: 06/21/2002
homepage:     http://sec.angrypacket.com
advisory id:  0x0003

+-------------------- -- -
+ product information
+----------------- -- -
software:     YaBB.cgi
vendor:       Yet Another Bulletin Board
homepage:     http://www.yabbforum.com
description:
     "YaBB is a leading FREE, downloadable Perl forum that allows you to
      provide a real-time chat and support system for your visitors."

+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem:      Cross-Site Scripting
affected:     YaBB 1 Gold SP1 and earlier versions
explaination: When accessing a thread that doesn't exist, YaBB will give an
              error about the board not existing. Example:
              http://some.site.com/cgi-bin/YaBB/YaBB.cgi?board=BOARD
              &action=display&num=NULL

              This will trigger an error in the CGI script and output the
              following:
              This topic doesn't exist on this board. NULL : 96.

              The problem here should be fairly obvious. By crafting
              JavaScript code in place of NULL, a malicious user can trick
              someone into running the code of their choice, since YaBB
              doesn't filter user input/script output.
risk:         Due to the simplicity of the attack and the number of sites
              that run YaBB, the risk is classified as Medium to High.
status:       Vendor was notified 05/14/02.
exploit:      http://some.site.com/cgi-bin/YaBB/YaBB.cgi?board=BOARD
              &action=display&num=<script>alert()</script>
fix:          Upgrade to a newer version of YaBB

+-------- -- -
+ credits
+----- -- -
Bug was found by methodic of AngryPacket security group.

+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.

                  - -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                  - -- ------------------------- -- -