[UNIX] Multiple SQL Injection Vulnerabilties in Chipmunk Forum

From: SecuriTeam (support_at_securiteam.com)
Date: 02/06/05

  • Next message: SecuriTeam: "[REVS] Advanced SQL Injection in Oracle Databases" 
    To: list@securiteam.com
Date: 6 Feb 2005 18:25:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple SQL Injection Vulnerabilties in Chipmunk Forum
    ------------------------------------------------------------------------

    SUMMARY

    Chipmunk Forum is "a small yet flexible and fully featured forum system".

    Due to inadequate filtering by Chipmunk Forum's PHP scripts a remote
    attacker can cause the program to insert arbitrary SQL statements into
    existing ones, allowing him to gain elevated privileges to the forum,
    change information of users, obtain passwords, etc.

    DETAILS

    Vulnerable script getpassword.php
    Vulnerable code:
    if(isset($_POST['submit']))
    {
      $email=$_POST['email'];
      $getinfo="SELECT * from b_users where email='$email'";
      ...
    mail("$email","Your Forum password","Your forum password has been set to
    $value");

    Exploit:
    Use the following as the email: ghc@ghc.ru' or username='Administrator
    this will change password the password oft the Administrator account (The
    "Administrator" must be a valid user name).

    Vulnerable script authenticate.php
    Vulnerable code:
    $username=$_POST['user'];
    $password=$_POST['password'];
    $password=md5($password);
    $query = "select * from b_users where username='$username' and
    password='$password' and validated='1'";

    Exploit:
    At the login.php page enter as the username Administrator'/*

    Vulnerable script edit.php
    Vulnerable code:
     if(isset($_POST['ID']))
    {
      $ID=$_POST['ID'];
    }
    else
    {
      $ID=$_GET['ID'];
    }
    $checking="SELECT * from b_posts,b_users where
    b_users.userID=b_posts.author and b_posts.ID='$ID'";

    It is possible to inject SQL statements through the $ID variable.

    Vulnerable script search.php
    Vulnerable code:
      $searchterm=$_POST['searchterm'];
      $getthreads="SELECT * from b_posts where post like '%$searchterm%' and
    threadparent='0' order by telapsed DESC limit $start, 50";

    It is possible to inject SQL statements through $searchterm parameter.

    Vulnerable script newtopic.php
    Vulnerable code:
           $name=$_POST['name'];
           $title=$_POST['title'];
           $post=$_POST['post'];
           $day=date("D M d, Y H:i:s");
           $timegone=date("U") ;
           if($_POST['nosmiley'])
    ..
           $name=strip_tags($name);
           $title=strip_tags($title);
           $post=strip_tags($post);
           $posting="INSERT INTO b_posts (author, title, post,timepost,
    telapsed, postforum,lastpost,nosmilies,ipaddress) values ('$name',
    '$title', '$post', '$day',
    '$timegone','$forumID','$user','$nosmiley','$s')";
           mysql_query($posting) or die("could not post");

    It is possible to inject SQL statements through $name, $title, and $post
    parameters.

    Vulnerable script reguser.php
    Vulnerable code:
    $username=$_POST['username'];
    $password=$_POST['password'];
    $signature=$_POST['signature'];
    $pass2=$_POST['pass2'];
    $usercheck="SELECT*from b_users where username='$username' or
    email='$email'";

    ..

    if ($password==$pass2 && $_POST['password'])
    {
      $password=md5($password);
      $supervalue=$value;
      $daycte("U");
      $email=$_POST['email'];
      $location=$_POST['location'];
      $aim=$_POST['aim'];
      $showprofile=$_POST['showprofile'];
      $icq=$_POST['icq'];
      $seedval=$day#0000;
      srand($seedval);
      $key=RAND(1000000,2000000);
      if($requirekey=="no"||$requirekey=="No") //if you do no require an
    activation key
      {
        $SQL ="INSERT into b_users (username, password, sig, email, location,
    AIM, ICQ, showprofile, validated) values ('$username', '$password',
    '$signature', '$email', '$location', '$aim', '$icq', '$showprofile',
    '1')";
        mysql_query($SQL) or die(mysql_error());
      }
      else //you require an activation key
      {
        $SQL ="INSERT into b_users (username, password, sig, keynode, email,
    location, AIM, ICQ, showprofile) values ('$username', '$password',
    '$signature', '$key', '$email', '$location', '$aim', '$icq',
    '$showprofile')";
        mysql_query($SQL) or die(mysql_error());
        mail("$email","Your forum activation key","Paste the URL to activate
    your account.
    $boardpath/activate.php?username=$username&password=$password&keynode=$key");
      }

    It is possible to inject SQL statements through the registration form's
    variables.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:foster@ghc.ru> GHC vision.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] Advanced SQL Injection in Oracle Databases"