Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   WoltLab Burning Board (wBB) Vendors:   Woltlab
WoltLab Burning Board Forum Lets Remote Users Hijack Newly Assigned User Accounts
SecurityTracker Alert ID:  1004390
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 28 2002
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 1.1.1
Description:   An authentication vulnerability was reported in the WoltLab Burning Board web forum software. A remote user may be able to hijack a newly registered user account.

It is reported that WoltLab Burning Board (wBB) uses predictable or guessable temporary passwords when it creates a new user account. If another user has requested a new account but has not yet activated the registration, the user's account may be hijacked.

To determine how many users exist on the forum, a remote user can register for a new account. The remote user will receive a confirmation e-mail that contains the following type of URL to activate the account:


In the above example, it is shown that any subsequent user will be assigned userid of 346 or higher. So, a remote user can attempt to guess the 'code' for any subsequent user. According to the report, the wBB software uses the date to seed a function that will generate only a limited number of codes (possibly 30 integer words). So, a remote user can feasibly conduct a brute force guessing attack to guess the proper code for a newly assigned user account.

A demonstration exploit that will apparently generate all of the possible codes is provided:

for($i=0; $i<60; $i++)
echo mt_rand()."<BR>";

Impact:   A remote user may be able to guess the password of a newly requested user account before the user account registration has been activated.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  wbbboard 1.1.1 registration _new_users_vulnerability_

wbbboard 1.1.1 registration _new_users_vulnerability_
wbbboard  : i cant find any contact info in credits :(
            i send a message to and
            (support forums), they didnt reply for 3
            days (i think enough)

Affected program         : wbbboard 1.1.1
Vendor                   :
Vulnerability-Class      : security bug
OS specific              : No
Remote                   : Yes
Problem-Skill            : High for users waiting for registration activatin
                           None for activated users


wbboard is php & mysql based forum.

Here some code(register.php)
$datum = date("s");
$z = mt_rand();
$db_zugriff->query("INSERT INTO bb".$n."_user_table
after that script mail to user@mail.dom with url for activation
here some code from action.php
if($action=="activation") {
        $result = activat($userid,$code);
        if($result == 1) eval ("\$output = \"".gettemplate("error1")."\";");
        if($result == 2) eval ("\$output = \"".gettemplate("error22")."\";");
        if($result == 3) eval ("\$output = \"".gettemplate("error23")."\";");
        if(!$result) {
                $user_id = $userid;
                eval ("\$output = \"".gettemplate("note21")."\";");
                $user_password = getUserPW($userid);
                setcookie("user_id", "$user_id", time()+(3600*24*365));
                setcookie("user_password", "$user_password", time()+(3600*24*365));
        $ride = "main.php?styleid=$styleid$session";


You can steal NEW user account with his passwords.


Register in forum you will recieve a message like this:
To continue registration
Now You Know how many users on forum and can hijak users with
 userid=346(for example)
| $datum = date("s");|
| mt_srand($datum);  |  this code result only 30 original integer words :)
| $z = mt_rand();    |  i think it is not so hard to bruteforce

You can get all variations with this script
for($i=0; $i<60; $i++)
echo mt_rand()."<BR>";
     ^^^^^^^^^ here you are :)

   use simple rand() or realy unpredictable md5(uniqid(rand(),1))


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC