SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   WoltLab Burning Board (wBB) Vendors:   Woltlab
WoltLab Burning Board Forum Input Validation Hole in board.php Lets Remote Users Inject SQL Commands to Gain Administrative Access
SecurityTracker Alert ID:  1005208
SecurityTracker URL:  http://securitytracker.com/id/1005208
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 10 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0 RC1 and prior versions
Description:   An input validation vulnerability was reported in WoltLab Burning Board forum software. A remote user can gain access to all user accounts on the forum, including the administrator account.

It is reported that user-supplied input ('$board') is not properly checked by board.php, allowing for SQL injection attacks.

A demonstration exploit URL query is provided:

board.php?boardid=[boardid]%27,%20userid=%27[victims userid, 1 is usually an admin]&sid=[attackers session-id]

Impact:   A remote user with an account on the system (including a guest account) can gain access to any other account, including the administrator account.
Solution:   The vendor has released a fixed version (2.0 RC 2), available at:

http://www.woltlab.de/

Vendor URL:  www.woltlab.de/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  sql injection vulnerability in WBB 2.0 RC1 and below


Hi,
I discovered a serious vulnerability in Woltlab Burning Board 2.0 RC 1
and below some weeks ago. The latest version (WBB 2.0 RC 2) seems not
vulnerable, but there are still sites using vulnerable versiones.

[versions tested vulnerable]
WBB 2.0 RC 1
WBB 2.0 beta 5
WBB 2.0 beta 4
WBB 2.0 beta 3

[discription]
It allows any user (even guests, may depend
on configuration) to compromise every other account (Administrator
one's too). It's caused by a variable containing unchecked userinput
in board.php, which can be used for a sql injection attack.

The query looks similar to the following:

UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri = '$HTTP_REQUEST_URI'', boardid =
'$boardid', threadid = 'xx' WHERE hash = '$sid'

Because the content of $boardid is not checked, it's possible to
overwrite othe fields in the table.

[proof of concept]
board.php?boardid=[boardid]%27,%20userid=%27[victims userid, 1 is
usually an admin]&sid=[attackers session-id]

The executed query now looks like that:

UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri =
threadid = 'xx' WHERE hash = '$sid'

As you can see, the userid of the attackers session is overwritten
with the victim one's.

[solution]
Update to the latest Version (WBB 2.0 RC2) or check every variable
possibly containing userinput.

p.e.

$boardid = mysql_escape_string($boardid);

[vendor status]
29.7.02 contacted Woltlab
12.8.02 release of WBB 2.0 RC 2 (seems not vulnerable)

I did't get an answer from Woltlab until now.


lates, Cano2                          mailto:Cano2@buhaboard.de

--

BuHa-Security Board
www.buhaboard.de

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC