SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Forum/Board/Portal)  >   Open Bulletin Board (OpenBB) Vendors:   Iansoft Enterprises
OpenBB Input Validation Holes Let Remote Users Inject SQL Commands and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1009935
SecurityTracker URL:  http://securitytracker.com/id/1009935
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Apr 26 2004
Original Entry Date:  Apr 25 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.0.6 and prior versions
Description:   Several vulnerabilities were reported in OpenBB. A remote authenticated user can inject SQL commands and can also view arbitrary private messages. A remote user can conduct cross-site scripting attacks.

JeiAr of the GulfTech Security Research Team reported that the software does not properly validate user-supplied input in several scripts.

It is reported that the 'post.php' file does not properly validate user-supplied input in the $FID variable. A remote authenticated user can reportedly create a specially crafted URL to execute arbitrary SQL queries on the underlying database. Other files are also affected, the report said.

Some demonstration exploit URLs are provided:

/board.php?FID=1[SQL]
/member.php?action=list&page=1&sortorder=[SQL]
/member.php?action=list&page=1&sortorder=username&perpage=[SQL]
/member.php?action=passwdsend&resetid=blah&id=2[SQL]
/search.php?&sortby=dateline&sort=DESC&q=open&forums%5B[SQL]%5D
/post.php?action=edit&page=1&PID=1[SQL]
/post.php?action=post&FID=1[SQL]

A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the OpenBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

/member.php?action=login&redirect=[XSS]
/myhome.php?action=newmsg&to=blah[XSS]
/post.php?action=mail&TID=1[XSS]
/index.php?redirect=[XSS]

In addition to scripting commands, a remote user can send HTML that includes and loads certain specially crafted URLs (via an IMG tag, for example) that will execute application commands on the OpenBB application when the target user loads the HTML. Some demonstration exploit URLs are provided:

/cp_forums.php?do=remove&id=1
/cp_usergroup.php?do=remove&UGID=1
/cp_ipbans.php?action=do_delip&ipid=1
/myhome.php?action=delmsg&box=inbox&id=all
/post.php?action=edit&PID=1&send=1&delete=yes
/moderator.php?action=announce&TID=1
/post.php?action=edit&PID=1&send=1&delete=yesI=blah.jpg

The report credits Manuel Lopez with reporting flaws in the avatar and private message features. A remote authenticated user can read arbitrary private messages by supplying a URL that specifies the appropriate message ID. A demonstration exploit URL is provided (where 'INT' is an integer value'):

http://forum/myhome.php?action=readmsg&id=INT&box=inbox

A remote authenticated user can upload arbitrary files in the place of avatar files. The report indicated that these files can contain client-side scripting code and be accessed at the following type of URL:

http://forum/avatars/[usernamehere]avatar_type

The original advisory is available at:

http://www.gulftech.org/04242004.php

Impact:   A remote authenticated user can inject SQL commands to be executed by the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the OpenBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote authenticated user can view arbitrary private messages.

Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a fix.
Vendor URL:  www.openbb.com/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.gulftech.org/04242004.php


http://www.gulftech.org/04242004.php

   Multiple Vulnerabilities In OpenBB
	
April 24, 2004


Vendor 	: OpenBB Group
URL 	: http://www.openbb.com
Version 	: Open Bulletin Board 1.0.6 && Earlier
Risk 	: Multiple Vulnerabilities


Description:
OpenBB is a fast, lightweight, powerful bulletin board written in PHP/MySQL. Main features 
include: full customization via styles templates, instant messaging, private messaging, 
categories, member ranks, poll based threads, moderation, BB codes, thread notifications, 
Avatars, member lists, private forums and more.


Cross Site Scripting:
OpenBB is prone to Cross Site Scripting in multiple files. This may allow an attacker to 
run code in the context of a users browser, or used to harvest sensitive information from 
a user such as cookie information. Below are some examples of the XSS issues in OpenBB.

/member.php?action=login&redirect=[XSS]
/myhome.php?action=newmsg&to=blah[XSS]
/post.php?action=mail&TID=1[XSS]
/index.php?redirect=[XSS]


SQL Injection:
It may be possible for an attacker to execute arbitrary SQL queries due to user supplied 
input not being properly sanitized. Lets have a look at some code from one of the affected 
files .. post.php

// Check to make sure they are not posting to a category
$query_type = new query($SQL, "SELECT type FROM ".$prefix."forum_display
WHERE forumid = $FID");
$query_type->getrow();
$ftype = $query_type->field('type');

As we can see from this code, the $FID variable seems to get passed directly to the query 
without being validated, thus allowing for an attacker to execute malicious queries. This 
is not the only vulnerable file though. Below are a list of similarly vulnerable files.

/board.php?FID=1[SQL]
/member.php?action=list&page=1&sortorder=[SQL]
/member.php?action=list&page=1&sortorder=username&perpage=[SQL]
/member.php?action=passwdsend&resetid=blah&id=2[SQL]
/search.php?&sortby=dateline&sort=DESC&q=open&forums%5B[SQL]%5D
/post.php?action=edit&page=1&PID=1[SQL]
/post.php?action=post&FID=1[SQL]

These files are prone to similar attacks because they allow input that has not been 
validated to be executed in the query. This can be used for example to pull users password 
hashes.


Arbitrary Command Execution:
This is really in my opinion at least, a very fundamental flaw. As stated in the HTTP/1.1 
RFC (RFC 2616 Section 9.1.1 "Safe Methods") no GET request should be used to make any 
significant actions. This however would not be such a big deal if there was some sort of 
auth key or session id in place to verify the validity of actions, but there isn't. In 
short all an attacker has to do is send an admin a pm, or make a malicious post with the 
desired command and the action will silently execute. For example below are some example 
administrative actions that an attacker could include in an image tag or malicious link.

/cp_forums.php?do=remove&id=1
/cp_usergroup.php?do=remove&UGID=1
/cp_ipbans.php?action=do_delip&ipid=1

This kind of attack can also be used to run user and moderator commands as seen below. 
These are only examples, not all the possibilities.

/myhome.php?action=delmsg&box=inbox&id=all
/post.php?action=edit&PID=1&send=1&delete=yes
/moderator.php?action=announce&TID=1

OpenBB actually tries to prevent these kind of attacks by filtering out certain input as 
seen in /lib/codeparse.php but this does not work. Lets have a look at the code.

case 'img':
if(!preg_match('#^(http|https)://(.*?)\.(gif|jpg|jpeg|png)$#', $inside) )
$return = '[ invalid image ]';
else
$return = '<img src="' .str_replace('"', '', $inside). '" alt="User-Posted
Image (tm)" border="0" />';
break;

All an attacker has to do in order to have the command executed successfully is make sure 
the url within the image tag ends with an allowed extension. This is not very safe at all 
because we can make up a variable, add a good extension and the code is still ran. For example

/post.php?action=edit&PID=1&send=1&delete=yesI=blah.jpg

As we can see from the above examples, this issue can be used by a malicious person to all 
but completely sabotage a site running OpenBB. In the past I have seen phpBB for example 
deal with the same issue of using unsafe GET requests by limiting the bbcode to only allow 
images with a valid extension. However this is a bad idea because it does not solve the 
problem at all, and to this day all phpBB versions are vulnerable to having arbitrary 
posts deleted and more just by visiting a malicious web page or link. It is a serious 
issue and should be treated as such. It greatly impacts the security of a web application. 
Even using the POST method without an auth key or the like is a bad idea in my opinion.


Other Issues:
These other issues I am about to describe have been discovered by a guy named Manuel Lopez 
mantra@gulo.org and asked me to include them in this OpenBB write up.

/* Snip */

Hi JeiAr, I am Manuel.

I have just read your post in OpenBB.
At March 24 2004 I alert Stu about some vulnerabilities that I have found on
March 20 2004, Stu

tell me .. "A verson 1.0.7 will be released ASAP".
I was having in mind publishing an advisory as soon as Stu released the new
version.

/* Snip */

The issues are in the avatar feature and pm feature. From what I understand a user can 
read arbitrary PM's just by specifying the message id. For example the url might look 
something like this.

http://forum/myhome.php?action=readmsg&id=INT&box=inbox

Where "INT" is there would be an integer specifying the message ID. The other issue 
discovered by Manuel is the fact that you can upload any file as an avatar. While this 
does not allow for php, or server side code execution, it does allow for client side code 
(such as JS, VBS, etc) to be executed. The uploaded code will then be available at the 
following url once uploaded.

http://forum/avatars/[usernamehere]avatar_type

Once again, just want to specify the last two vulnerabilities were discovered by Manuel 
Lopez and not myself, he just asked if I would include them :)


Solution:
Vendors were contacted many weeks ago and plan to release a fixed version soon. Check the 
OpenBB website for updates and official release details.


Credits:
Credits go to JeiAr of the GulfTech Security Research Team.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC