About This Entry

This page contains a single entry posted on 19 June 2007 06:49 AM.

The PREVIOUS post in this blog is titled > Father's Day 2007 | Not So Happy, Could Be Worse.

The NEXT post in this blog is titled > First Day of Summer; Rad-mobile Passes CA Smog Check.

MORE entries can be found on the main index page or by looking through the archives.


Technorati search

» Blogs that link here

November 2011

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      


Rad Linkage

Powered by
Movable Type 3.35
This weblog is licensed under a Creative Commons License.
Creative Commons License

« Father's Day 2007 | Not So Happy, Could Be Worse | Main | First Day of Summer; Rad-mobile Passes CA Smog Check »

YaBB Forum Security Vulnerability Patched

A security vulnerability was reported for the forum software (YaBB v2.1), as posted at iDefense Labs...

... which allows attackers to register with Administrator privileges by "setting the values of certain variables to contain certain characters." (Nice of them not to spell-out how to implement the hack.)

Attackers can then wreck all manner of ugliness.

I discovered the vulnerability last night, but couldn't implement the fix, cuz other mods I've installed had modified the original source code of the files I needed to patch (register.pl + profile.pl).

The patch searched for (some of) the flawed code, but couldn't find it, cuz it had been modified by another mod. Actually, the first 8 steps proceeded fine. Only the 9th and final step errored. But unless the entire fix can be implemented, the patch refuses to install.

At 11PM last night, I was tired and not thinking clearly, so I disabled the registration feature (to help mitagate the vulnerability) and went to bed.

••••• today's entry continues below •••••

Early this morning, I modified the (two) source files by hand (which suks), and implemented the patch. Then I re-enabled & tested the registration feature, which appears to be working fine.

Normally, "mods" to the forum (which add cool features) are done with a nifty program called BoardMod, which uses a *.mod file (written by someone with coding skills) to search for for snippets of code, which it then replaces (with new code), or adds new code in specific places .. all with a single click.

All that remains is for you to upload the modified file(s) to your server. Pretty cool.

Problem is .. the more mods you add (and we've added a handful), the less like your source code looks like the original files. So when BoardMod searches for original snippets of code, it can't find them.

Anyway, the forum has been patched, registration re-enabled, and civilization as we know it returned from the brink of disaster.


TrackBack URL for this entry:

Post a comment