[waraxe-2008-SA#069] - Multiple Sql Injection in vBulletin 3.7.4

---

• From: come2waraxe@xxxxxxxxx
• Date: Mon, 17 Nov 2008 12:21:52 -0700

---

[waraxe-2008-SA#069] - Multiple Sql Injection in vBulletin 3.7.4
===============================================================================

Author: Janek Vind "waraxe"
Date: 17. November 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-69.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

vBulletin (abbreviated as vB) is a commercial Internet forum software produced
by Jelsoft Enterprises. It is written in PHP using a MySQL database server.
vBulletin is a professional, affordable community forum solution. Thousands of
clients, including many industry leading blue chip companies, have chosen
vBulletin - It's the ideal choice for any size of community.

Web: http://www.vbulletin.com/


List of found vulnerabilities
===============================================================================

1. Sql Injection in "admincp/verify.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Impact: low
Preconditions: attacker must have admin account with Human Verification Manager
administer privileges


[---------- source code snippet start ----------]
if ($_POST['do'] == 'updateanswer')
{
$vbulletin->input->clean_array_gpc('p', array(
'answer' => TYPE_STR,
));
..
$db->query_write("
UPDATE " . TABLE_PREFIX . "hvanswer
SET answer = '" . $vbulletin->GPC['answer'] . "'
WHERE answerid = " . $vbulletin->GPC['answerid']
);
[----------- source code snippet end -----------]

It appears, that user submitted parameter "answer" is not properly sanitized
before using in sql query. As result sql injection is possible. Test will
induce sql error message:

Invalid SQL:
UPDATE vb_hvanswer
SET answer = 'war'axe'
WHERE answerid = 1;


2. Sql Injection in "admincp/attachmentpermission.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Impact: low
Preconditions: attacker must have admin account with Attachment Permissions
Manager administer privileges

As in previous case, user submitted parameter, this time it's "extension", is
used in sql query without proper snaitization. This results sql injection
vulnerability. For test log in as admin with needed privileges and then issue
GET request (using proper URI instead if example):

http://localhost/vbulletin374/admincp/attachmentpermission.php?do=edit&extension=war'axe

This results with error message from vBulletin:

Database error in vBulletin 3.7.4:
Invalid SQL:

SELECT size, width, height
FROM attachmenttype
WHERE extension = 'war'axe';


3. Sql Injection in "admincp/image.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Impact: low
Preconditions: attacker must have admin account with Avatars administer privileges

[---------- source code snippet start ----------]
if ($_POST['do'] == 'updatepermissions')
{
$vbulletin->input->clean_array_gpc('p', array(
'iperm' => TYPE_ARRAY,
'imagecategoryid' => TYPE_INT
));
..
foreach($vbulletin->GPC['iperm'] AS $usergroupid => $canuse)
{
if ($canuse == 0)
{
$db->query_write("
INSERT INTO " . TABLE_PREFIX . "imagecategorypermission
(
imagecategoryid,
usergroupid
)
VALUES
(
" . $vbulletin->GPC['imagecategoryid'] . ",
$usergroupid
)
[----------- source code snippet end -----------]

User-submitted array "iperm" is used in sql query without proper sanitization.
This results in sql injection. Testing ends with error message:

MySQL Error : Unknown column 'waraxe' in 'field list'


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@xxxxxxxxx
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Php shell (work in progress): http://phpaxe.com/
---------------------------------- [ EOF ] ---------------------------------

---

• Prev by Date: Exodus v0.10 uri handler arbitrary parameter injection
• Next by Date: [USN-671-1] MySQL vulnerabilities
• Previous by thread: Exodus v0.10 uri handler arbitrary parameter injection
• Next by thread: [USN-671-1] MySQL vulnerabilities
• Index(es):
  • Date
  • Thread

---

Relevant Pages [Full-disclosure] vbulletin admincp sql injection ... not a serious vulnerability, can only be used by administrator of site ... SQL injection can be used to obtain password hash ... (Full-Disclosure) vbulletin admincp sql injection ... not a serious vulnerability, can only be used by administrator of site ... SQL injection can be used to obtain password hash ... (Bugtraq) Vulnerability not with vBulletin ... The vulnerability listed here is in a third-party 'hack' script, ... not part of vBulletin itself, and is beyond the control of the vBulletin ... SQL injection in vBulletin forums ... (Bugtraq) CA Forum Remote SQL Injection ... CAForum 1.0 Remote SQL Injection - ... CodeAvalanche Forum Version 1.0 ... CodeAvalanche FreeForum is asp forum application which allows free posting, there is no needs for registration of your ... In the file default.asp in Admin directory is vulnerable to an Remote SQL Injection Attack. ... (Bugtraq) Snitz2000 SQL Injection: A user can gain admin level ... # Last bug report in 2007-02-16 with 4692 visitors ... A user can gain admin level in the forum and can access to the forum. ... It is because of a SQL Injection in "Active.asp" ... (Bugtraq)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)