DeluxeBB mutiple vulnerabilities

2006.07.25
Credit: Jessica Hope (jessicasaulhope googlemail com)
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-3799 | CVE-2006-3798 | CVE-2006-3796 | CVE-2006-3795 | CVE-2006-3797
CWE: N/A

====================================================================== Advisory : DeluxeBB mutiple vulnerabilities Release Date : July 18th, 2006 Application : DeluxeBB Version : Deluxe 1.07 and previous versions Platform : PHP Vendor URL : http://www.deluxebb.com/ Authors : Jessica Hope (jessicasaulhope (at) googlemail (dot) com [email concealed]) : Th3 M0ths (th3.m0ths (at) gmail (dot) com [email concealed]) ======================================================================= Overview Due to various failures in sanitising user input, it is possible to construct XSS attacks, SQL injection, authentication bypass, bypassing of default security checks, user spoofing, cookie poisoning and pollution of the global namespace. ======================================================================= Discussion Authentication bypass: It is possible for an attacker to become any user he or she wishes by creating a set of fake cookies. Consider the admin with memberid of 1 and the name 'admin'. Here is the relevant settings required to become this user: membercookie: admin memberid: 1 memberpw: ' or '' = ' The exploit works because the SQL query done looks something like this: SELECT * FROM deluxebb_users WHERE (uid='1' && username='admin' && pass='' or '' = '') There are limits imposed on the memberpw, it must be shorter than 33 characters. However, memberpw should only contain the MD5 sum of your password (something that should actually be changed, but that is a different section of this report). User spoofing: It is possible to post as any other user without having to totally become that user. The method is nearly the same as above, except you do not need to alter the password cookie. You will remain logged in as the user you originally logged in as. Consider the user 'test' with the memberid of 4. Here is the relevant settings required to spoof this user: memberid: 4 membercookie: ' or '' = ' All other cookies should be left alone. You do not need to be logged in to launch this attack, you just need to create the above cookies, and provide anything for the memberpw cookie (even a - will suffice). In addition to altering the cookies, if you were to register as a user with just a single space as the username, you would have the credentials, without the memberpw cookie being set. You are now able to post as a guest user, while still having the other cookies. In addition to this, it is not possible to ban by username; the user cannot be found in the admin cp. Cookie poisioning: If you set you cookies to the following, after logging in: membercookie: ' or '' = ' Leaving the rest alone, you are able to change everyone's settings. This can be done by then going to the Member CP and changing anything. The result of this means that you are able to change everyone's e-mail, signature, location, website, other settings, and worst of all, you are able to change everyone's password. XSS in membercookie cookie: Setting the membercookie cookie to be any XSS causes the display forum and display topic to show the XSS as DeluxeBB trusts the membercookie over the memberid which gets passed through an intval() in $memberid = @intval($memberid);. The membercookie looks like this: membercookie: <script>alert(document.cookie)</script> You do have to have a valid memberpw and memberid cookie. URL Redirection on login: In the redirect variable, it is possible to phish a user when they attempt to login. http://www.example.com/deluxebb/misc.php?sub=login&redirect=http://www.b adsite.com/ Bypass SQL Injection Protection: There is basic SQL Injection protection on certain variables such as login. However, it is programmed to be case sensitive, so bypassing the sensitivity can lead to SQL Injection. The protection is an strstr (case-sensitive) on UNION SELECT. Using union select instead in the protected variables is a simple bypass. SQL Injection: Due to the way the cookies are used, most of the above attacks (authentication bypass, user spoofing, cookie poisoning) allow a basic set of SQL injection. More advanced SQL injection could be possible due to the way the cookies are handled. I will leave this as an exercise to the reader in order to come up with some possible SQL. Pollution of the global namespace: Due to the following lines, it is possible to use cookies in an attempt to overwrite data in the $_GET, $_POST, $_SERVER and $_ENV arrays: $list = array('_GET', '_POST', '_ENV', '_SERVER', '_COOKIE', '_FILES'); foreach($list as $element) { if(!empty($$element) && is_array($$element) ) { extract($$element); } } This can allow someone to set a COOKIE variable to overwrite the previous variables, allowing SQL injection and XSS. ======================================================================= Solution Anyone using DeluxeBB is advised to update to the latest version, which at time of writing this is now v1.08 ======================================================================= History: 18th July 2006: Full disclosure 15th July 2006: Vendor released patched version 09th July 2006: Vendor test patch 03rd July 2006: Vendor response 02nd July 2006: Vendor notified ======================================================================= Credit This issue is to be credited to Jessica Hope ( jessicasaulhope (at) googlemail (dot) com [email concealed] ) and Th3 M0ths (th3.m0ths (at) gmail (dot) com [email concealed])


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top