fusionBB.txt

2005-06-21T00:00:00
ID PACKETSTORM:38166
Type packetstorm
Reporter James Bercegay
Modified 2005-06-21T00:00:00

Description

                                        
                                            `##########################################################  
# GulfTech Security Research June 6th, 2005  
##########################################################  
# Vendor : InteractivePHP, Inc  
# URL : http://www.fusionbb.com/  
# Version : Version .11 Beta And Earlier  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
  
Description:  
FusionBB is a popular online message board written in php and  
developed by InteractivePHP, INC. There are several vulnerabilities  
in FusionBB such as SQL Injection and Arbitrary Local File Inclusion.  
These issues could allow for an attacker to execute arbitrary scripts  
residing on the web server, retrieve sensitive data from the underlying  
database, or bypass the FusionBB authentication mechanisms.  
  
  
  
Local File Inclusion:  
Certain values retrieved from cookie data are not properly sanitized.  
One of these unsanitized variables is language. This variable is used  
to include local language files, so an attacker could change the value  
to contain directory traversal sequences, and append the data with a  
null byte (e.g. ../../etc/passwd%00) which could allow for arbitrary  
local files to be accessed. Additionally an attacker could exploit this  
issue to execute arbitrary scripts residing on the web server.  
  
  
  
SQL Injection:  
There are a couple of SQL Injection issues present in FusionBB, and one  
in particular is very dangerous. The first issue comes when registering  
an account with the FusionBB software, and will allow an attacker to  
influence an insert statement in the insertUser() function. This is due  
to the inputted username not being properly sanitized. Unfortunately the  
other SQL Injection issue is much more dangerous and allows an attacker  
to not only retrieve arbitrary data from the database such as password  
information, but the vulnerability will also allow for an attacker to  
easily bypass FusionBB authentication as well as access arbitrary user  
accounts. The vulnerability presents itself when an attacker enters an  
arbitrary statement in their cookie's session id variable.  
  
Cookie: bb_session_id=' or user_id = '1; bb_uid=1;  
  
For example, the above cookie information sent in an HTTP GET Header  
would log us in to the user account with an id of 1.  
  
  
  
Solution:  
This issues has been fixed and updated in the latest release of the  
FusionBB software. The official changelog can be viewed here.  
  
http://www.interactivephp.com/misc/CHANGELOG.html  
  
All users should upgrade their installations as soon as possible. A  
special thanks to Joshua Pettit for responding to, and resolving the  
issues reported here so quickly.  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00081-06132005  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
`