Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Woltlab Burning Board Missing Input Validation in 'userid' and 'lastvisit' Cookies Permits SQL Injection
|
|
SecurityTracker Alert ID: 1013351
|
|
SecurityTracker URL: http://securitytracker.com/id?1013351
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 2 2005
|
Impact: Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.3, 2.1.5, 2.2.1, and 2.3.0
|
Description: Hendrik Richter reported a vulnerability in Woltlab Burning Board. A remote user can inject SQL commands and gain administrative privileges.
The '/acp/lib/session.php' script does not properly validate user-supplied input. A remote user can supply a specially crafted 'userid'
or 'lastvisit' cookie value to execute SQL commands on the underlying database.
The flaw resides in the getwbbuserdata() function.
A
demonstration exploit value for the 'userid' cookie is provided:
%27
credit:Hendrik Richter reported this vulnerability.
|
Impact: A remote user can execute SQL commands on the underlying database.
|
Solution: The vendor has released a fixed version (2.0.3pl1, 2.1.5pl1, 2.2.1pl1 and 2.3.0pl1), available at:
http://www.woltlab.info/products/burning_board_lite/index_en.php
|
Vendor URL: www.woltlab.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Hendrik Richter <info@naggel.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 23 Feb 2005 17:15:53 +0100
From: Hendrik Richter <info@naggel.com>
Subject: Woltlab Burning Board allows users to become administrator
|
----------------------------------------------------------------------
Woltlab Burning Board allows users to become administrator
Impact: SQL injection, Disclosure of authentication information,
Disclosure of user information, Execution of arbitrary code via network,
Modification of user information, User access via network, etc.
Exploit Included: Yes
Version(s): wBB 2.0.3, 2.1.5, 2.2.1 and 2.3.0
Description: In /acp/lib/session.php, line 88 the value of
$_COOKIE[$cookieprefix.'userid'] is sent to the function
getwbbuserdata($id, [...]) located in /apc/inc/functions.php which
sends a query to the database:
function getwbbuserdata($id, [...]) {
[...]
$wbbuserdata = $db->query_first(”SELECT u.* […] FROM bb”.$n.”_users u
[...] WHERE u.userid=’$id’”);
[...]
return $wbbuserdata;
}
$id is the unfiltered value of the cookie. Since Woltlab disables and
bypasses gpc_magic_quotes in file /global.php in lines 33-38, it is
possible to execute arbitrary SQL code via this query.
If the cookie's value is for example "X' OR userid = '1", the query's
WHERE-statement becomes "WHERE u.userid='X' OR userid = '1'", the
function returns the account with the ID 1, usually the administrator's
one
Another possible vulnerability is the also not validated cookie
'lastvisit'.
A demonstration exploit tag is provided: Set your 'userid' cookie to
"%27" (that is "'"; without the quotes)and look at the nice SQL error.
Solution: Get the latest update from vendor's page, that is wBB
2.0.3pl1, 2.1.5pl1, 2.2.1pl1 and 2.3.0pl1
Vendor URL: www.woltlab.de/ (Links to External Site)
Cause: Input validation error, SQL injection
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Reported By: "Hendrik Richter" <info@naggel.com>
Message History: None.
----------------------------------------------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
