[UNIX] YabbSE SQL Injection (post.php)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/18/04

  • Next message: SecuriTeam: "[NT] Vizer Web Server DoS" 
    To: list@securiteam.com
Date: 18 Feb 2004 15:36:53 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      YabbSE SQL Injection (post.php)
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.yabbse.org/> YaBB SE is a PHP/MySQL port of the popular
    forum software YaBB (yet another bulletin board). Incorporating the same
    intuitive user interface, and several of the most popular modifications
    from YaBB's Boardmod project". An SQL injection vulnerability in the
    post.php page allows a remote attacker to execute malicious SQL statements
    on the database remotely.

    DETAILS

    Vulnerable Systems:
     *YaBB SE versions 1.5.4, 1.5.5, possibly others

    How To Exploit the vulnerability:
     * You need to be a registered user to exploit this hole.
     * Click any board you see. For example General Discussion.
     * Click any message. For example Welcome to YaBB SE!
     * Now view the source code of this page and search this string "sesc"
    without the quotes this is the session id , in 32 hex character set. For
    example (13a478d8aa161c2231e6d3b36b6d19f2), you'll need this later. Now
    your URL is something like this
     * http://vulnhost/yabbse/index.php?board=1;action=display;threadid=1
     * Change your url to look like this.
     *
    http://localhost:8080/yabbse//index.php?board=1&sesc=13a478d8aa161c2231e6d3b36b6d19f2& action=post&threadid=1&title=Post+reply&
    quote=-12) UNION SELECT passwd, null, null, null, null, null, null, null,
    null FROM yabbse_members where ID_MEMBER=1/*

    The value of "sesc" is the value you obtained from the source code and as
    a result you get the hashed password of the user with the id = 1 in the
    Subject textBox something like this Re:e320774659b1b23333bd033754d21bc4

    Workaround:
    Open Post.php and go around line 49 you'll see something like this:
    $quotemsg = $quote;
    Change to this:
    if ( $quote && !is_numeric($quote) )
    {
     die('Go out C==|=======>');
    }

    $quotemsg = $quote;

    Vendor Status:
    January 23, 2004: BackSpace contacted the vendor
    January 23, 2004: Vendor replied they are working on it.
    January 29, 2004: BackSpace sent another email to know how the work was
    progressing. No Response.
    February 3, 2004: BackSpace sent another email to know the status of the
    work.
    February 4, 2004: Vendor says the'll figure how to do.
    February 16, 2004: BackSpace publish the vulnerability.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:backspace_2k@terra.es>
    BackSpace.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Vizer Web Server DoS"

    Relevant Pages