lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050728215408.GA8377@hardened-php.net> Date: Thu Jul 28 22:58:50 2005 From: sesser at hardened-php.net (Stefan Esser) Subject: Advisory 12/2005: UseBB Multiple Vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened PHP Project www.hardened-php.net -= Security Advisory =- Advisory: UseBB Multiple Vulnerabilities Release Date: 2005/07/28 Last Modified: 2005/07/28 Author: Stefan Esser <s.esser@...dened-php.net> Application: UseBB <= 0.5.1 Severity: Multiple SQL injection and XSS vulnerabilities may result in disclosure of administrators credentials. Risk: High Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory_122005.60.html Overview: UseBB, the easy to set up and easy to use PHP and MySQL based forum package, distributed freely under the GPL license. It is being built by a team of voluntary developers from all over the world, for use on small to medium sized websites which need a clear and efficient forum package. By accident we stumbled over UseBB and audited it, because we have never seen a PHP forum system that is free of vulnerabilities. During our work, we have discovered two 2 holes that were not yet fixed in the CVS and may allow compromising user accounts. One of the vulnerabilities is a XSS vulnerability that is only exploitable in Internet Explorer and the other one is a SQL injection vulnerability that requires magic_quotes_gpc turned off to be exploitable, which is the recommended setting. Details: An audit of UseBB revealed that the code is actually one of the better pieces of PHP webapplications, although it uses the not recommended magic_quotes_runtime feature.. The authors always try to initialise their variables correctly and whenever possible they filter user input before using it. However we were able to find two glitches in their code. The first one is in the handling of the color BBCode. The color value is not filtered and therefore it is possible for an attacker to inject arbitrary stylesheet information for the resulting <span> tag. Within Internet Explorer this will allow Javascript execution through f.e. through a call of the expression() function. The other problem is located in the way the magic_quotes_gpc=Off emulation is implemented. When the feature is deactivated, which is the recommended setting, _GET, _POST and _COOKIE are automatically addslashed(). Unfortunately _REQUEST is not automatically and therefore the search function of the forum, which is the only place where _REQUEST is used, is not protected at all against any kind of SQL injection, when magic_quotes_gpc is turned off. Both vulnerabilities could result in disclosure of arbitrary user credentials. Proof of Concept: The Hardened-PHP Project is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 27. July 2005 - Vendor informed. 27. July 2005 - Vendor has released updated version. 28. July 2005 - Public disclosure. Recommendation: We strongly recommend installing the updated version, 0.5.1a, which is available from the vendor's homepage, www.usebb.net. GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser / Hardened PHP Project. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFC6VkdRDkUzAqGSqERAk2WAJ4ug+jsaGUS422U8vF3OSV/DfrOMACg05Ja 7xlU/Xg9j4J3JIayMEGkBXQ= =2IYe -----END PGP SIGNATURE-----
Powered by blists - more mailing lists