Exploits and Security » Message Boards

UseBB Multiple Vulnerabilities

Exploitx — Fri, 29 Jul 2005 18:36:00 +0000

Advisory: UseBB Multiple Vulnerabilities

Application: UseBB 0.5.1
Severity: Multiple SQL injection and XSS vulnerabilities may
result in disclosure of administrators credentials.
Risk : High
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_122005.60.html

Overview:

UseBB, the easy to set up and easy to use PHP and MySQL based forum
package, distributed freely under the GPL license. It is being built
by a team of voluntary developers from all over the world, for use
on small to medium sized websites which need a clear and efficient
forum package.

By accident we stumbled over UseBB and audited it, because we have
never seen a PHP forum system that is free of vulnerabilities.
During our work, we have discovered two 2 holes that were not yet
fixed in the CVS and may allow compromising user accounts.

One of the vulnerabilities is a XSS vulnerability that is only
exploitable in Internet Explorer and the other one is a SQL
injection vulnerability that requires magic_quotes_gpc turned off
to be exploitable, which is the recommended setting.

Details:

An audit of UseBB revealed that the code is actually one of the
better pieces of PHP webapplications, although it uses the not
recommended magic_quotes_runtime feature.. The authors always try
to initialise their variables correctly and whenever possible they
filter user input before using it.

However we were able to find two glitches in their code. The first
one is in the handling of the color BBCode. The color value is not
filtered and therefore it is possible for an attacker to inject
arbitrary stylesheet information for the resulting tag.
Within Internet Explorer this will allow Javascript execution
through f.e. through a call of the expression() function.

The other problem is located in the way the magic_quotes_gpc=Off
emulation is implemented. When the feature is deactivated, which is
the recommended setting, _GET, _POST and _COOKIE are automatically
addslashed(). Unfortunately _REQUEST is not automatically and
therefore the search function of the forum, which is the only
place where _REQUEST is used, is not protected at all against any
kind of SQL injection, when magic_quotes_gpc is turned off.

Both vulnerabilities could result in disclosure of arbitrary
user credentials.

Proof of Concept:

The Hardened-PHP Project is not going to release an exploit
for this vulnerability to the public.

Disclosure Timeline:

27. July 2005 – Vendor informed.
27. July 2005 – Vendor has released updated version.
28. July 2005 – Public disclosure.

Recommendation:

We strongly recommend installing the updated version, 0.5.1a,
which is available from the vendor’s homepage, www.usebb.net.

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Invision PowerBoard 1.3.x – 2-x Exploit and Patch

Exploitx — Mon, 18 Jul 2005 20:07:43 +0000

Desc: Invision PowerBoard 1.3.x – 2.x Privilege escalation through SQL injection
Risk: High

Invision PowerBoard exploit

phpBB 2.0.16 released

Exploitx — Thu, 30 Jun 2005 08:55:48 +0000

Hi everyone,
phpBB Group announces the release of phpBB 2.0.16. This release addresses
some bugfixes and one critical security issue. To fix this, please apply
the following change: In viewtopic.php
Find:

$message = str_replace('"', '"', substr(@preg_replace('#(>(((?>([^>< ]+|(?R)))*)<))#se', "@preg_replace('#b(" . str_replace('\', '\\', $highlight_match) . ")b#i', '\\1', '\0')", '>' . $message . '< '), 1, -1));

Replace with:

$message = str_replace('"', '"', substr(@preg_replace('#(>(((?>([^>< ]+|(?R)))*)<))#se', "@preg_replace('#b(" . str_replace('\', '\\', addslashes($highlight_match)) . ")b#i', ' $theme['fontcolor3'] . "">\\1', '\0')", '>' . $message . '< '), 1, -1));

We urge you to update as soon as possible. You can of course find this
download available on our downloads page
(http://www.phpbb.com/downloads.php). As per usual three packages are
available to simplify your update. The Full Package contains entire phpBB2
source and English language package. The Changed Files Only contains only
those files changed from previous versions of phpBB. Please note this
archive contains changed files for each previous release. Patch Files
contains patch compatible patches from the previous versions of phpBB.
Select whichever package is most suitable for you.
The changelog (contained within this release) is as follows:
- Fixed critical issue with highlighting - Discovered and fix provided by
Ron van Daal - Url descriptions able to be wrapped over more than one line
again - Fixed bug with eAccelerator in admin_ug_auth.php
- Check new_forum_id for existence in modcp.php - alessnet
- Prevent uploading avatars with no dimensions - Xpert
- Fixed bug in usercp_register.php, forcing avatar file removal without
updating avatar informations within the database - HenkPoley - Fixed bug
in admin re-authentication redirect for servers not having index.php as
one of their default files set As always, our Code Changes Tutorial is
available too for those with heavily modded boards. It can be downloaded
from http://www.phpbb.com/phpBB/viewtopic.php?t=301712