OpenBB 1.06 SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: OpenBB 1.06 SQL Injection
From: n.teusink@xxxxxxxxx
Date: Fri, 26 Dec 2003 21:37:10 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Priority: normal

Hello bugtraq readers,

A vulnerability exists in OpenBB 1.06 that could allow an attacker to 
manipulate SQL 
queries and obtain sensitive information from the database such as the 
administrator 
md5 password hash. 
This vulnerability exists because the index.php script of the application does 
not 
sufficiently sanitize the input of the "CID" parameter.

As far as I know this vulnerability can only be exploited if the database 
server the 
forum uses supports the UNION keyword, so it is probably not exploitable with 
MySQL 3.x. I have succesfully exploited this issue when using MySQL 4 as the 
database server.

Impact
------

If the admin password is weak enough the attacker could crack it using a brute 
force 
password cracker on the hash and get full control over the forum.

Solution
--------

I have notified the OpenBB developers and they have very quickly (a couple of 
hours, 
great work guys!) released a patched version. You can also patch your forum 
manually as described in the OpenBB advisory: 
http://forums.openbb.com/read.php?TID=445


Cheers,

Niels Teusink

http://www.teusink.net

Prev by Date: Re: An undetectable Online Bank Vulnerability?
Next by Date: DANGER ZONE: Internet Explorer
Previous by thread: QuikStore Shopping Cart Discloses Installation Path & Files to Remote Users
Next by thread: DANGER ZONE: Internet Explorer
Index(es):
- Date
- Thread