SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   WoltLab Burning Board (wBB) Vendors:   Woltlab
WoltLab Burning Board Input Validation Hole in verify_email() Permits SQL Injection
SecurityTracker Alert ID:  1013978
SecurityTracker URL:  http://securitytracker.com/id/1013978
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.3.1 and prior versions
Description:   An input validation vulnerability was reported in WoltLab Burning Board in the verify_email() function. A remote user can inject SQL commands.

The verify_email() function does not properly validate user-supplied input in e-mail addresses. A remote user can supply specially crafted 'email' parameter value to execute SQL commands on the underlying database.

A demonstration exploit value is provided:

sre464hfrgt6@4g546ufgfrh5.org' OR (userid=1 AND MID(password,1,1)='a')/*

James Bercegay of the GulfTech Security Research Team discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   The vendor has issued a fixed version.
Vendor URL:  www.woltlab.de/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Woltlab Burning Board SQL Injection Vulnerability


##########################################################
# GulfTech Security Research            May 16th, 2005
##########################################################
# Vendor  : Woltlab GmbH
# URL     : http://www.woltlab.de/
# Version : Burning Board 2.* And Earlier
# Risk    : SQL Injection Vulnerabilities
##########################################################



Description:
Burning Board is a popular, multi purpose forum / community software
offered by WoltLab GmbH. There is an SQL Injection vulnerability in
Burning Board 2.* and earlier that allows for an attacker to influence
SQL Queries and possibly query arbitrary data from the database, such
as admin password hashes. The developers are said to have made a patch
available as of late last week, and all users should upgrade their
Burning Board installations as soon as possible.



SQL Injection Vulnerability:
Burning Board is prone to SQL Injection attacks that may allow for an
attacker to query arbitrary database information, including admin
password hashes. The vulnerability lies in the verify_email() function

function verify_email($email) {
 global $db, $n, $multipleemailuse, $ban_email;

 $email=strtolower($email);
 if(!preg_match("/^([_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*
 (\.[a-zA-Z]{2,}))/si",$email)) return false;
 $ban_email=explode("\n",preg_replace("/\s*\n\s*/","\n",strtolower(trim($ban_email))));
 for($i = 0; $i < count($ban_email); $i++) {
  $ban_email[$i]=trim($ban_email[$i]);
  if(!$ban_email[$i]) continue;
  if(strstr($ban_email[$i], "*")) {
   $ban_email[$i] = str_replace("*",".*",$ban_email[$i]);
   if(preg_match("/$ban_email[$i]/i",$email)) return false;
  }
  elseif($email==$ban_email[$i]) return false;
 }
 if($multipleemailuse==1) return true;
 else {
  $result = $db->query_first("SELECT COUNT(*) FROM bb".$n."_users WHERE 
email = '".$email."'");
  if($result[0]!=0) return false;
  else return true;
 }
}

As we can see from the code above, $email is never really sanitized. Sure,
it has to match the regular expression above, but we can always do something
like pass it an email address like this

sre464hfrgt6@4g546ufgfrh5.org' OR (userid=1 AND MID(password,1,1)='a')/*

Which would return an error message about the email already being in use or
invalid if the first character of the password hash is 'a'. In order to keep
from registering multiple accounts while trying to exploit this 
vulnerability
an attacker simply would need to specify a username that is already in use.
Also, it should be noted that it does not matter that $email is encapsulated
in single quotes due to this bit of code in global.php

// remove slashes in get post cookie data...
if (get_magic_quotes_gpc()) {
  if(is_array($_REQUEST)) $_REQUEST=stripslashes_array($_REQUEST);
  if(is_array($_POST)) $_POST=stripslashes_array($_POST);
  if(is_array($_GET)) $_GET=stripslashes_array($_GET);
  if(is_array($_COOKIE)) $_COOKIE=stripslashes_array($_COOKIE);
}

This is not a very hard issue to exploit, and a user does not need to be
authenticated to exploit it. Also, disabling user registrations is not a
safe work around by itself as this issue also exists when a user edit's
or update's their profile (in the email field). Exploit code for this
issue exists, and has been released to the developers, but we will not be
making it available to the public at this time.



Solution:
The developers are said to have made a patch available as of late last
week, and all users should upgrade their Burning Board installations as
soon as possible.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00075-05162005



Credits:
James Bercegay of the GulfTech Security Research Team

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC