deluxeBB.txt

2006-07-20T00:00:00
ID PACKETSTORM:48390
Type packetstorm
Reporter Jessica Hope
Modified 2006-07-20T00:00:00

Description

                                        
                                            `======================================================================  
  
Advisory : DeluxeBB mutiple vulnerabilities  
Release Date : July 18th, 2006  
Application : DeluxeBB  
Version : Deluxe 1.07 and previous versions  
Platform : PHP  
Vendor URL : http://www.deluxebb.com/  
Authors : Jessica Hope (jessicasaulhope@googlemail.com)  
: Th3 M0ths (th3.m0ths@gmail.com)  
  
=======================================================================  
  
Overview  
  
Due to various failures in sanitising user input, it is possible to  
construct XSS attacks, SQL injection, authentication bypass, bypassing  
of default security checks, user spoofing, cookie poisoning and  
pollution of the global namespace.  
  
=======================================================================  
  
Discussion  
  
  
Authentication bypass:  
  
It is possible for an attacker to become any user he or she wishes by  
creating a set of fake cookies. Consider the admin with memberid of 1  
and the name 'admin'. Here is the relevant settings required to become  
this user:  
  
membercookie: admin  
memberid: 1  
memberpw: ' or '' = '  
  
The exploit works because the SQL query done looks something like this:  
SELECT * FROM deluxebb_users WHERE (uid='1' && username='admin' &&  
pass='' or '' = '')  
  
There are limits imposed on the memberpw, it must be shorter than 33 characters.  
However, memberpw should only contain the MD5 sum of your password  
(something that should actually be changed, but that is a different section of  
this report).  
  
  
User spoofing:  
  
It is possible to post as any other user without having to totally  
become that user. The method  
is nearly the same as above, except you do not need to alter the  
password cookie. You will remain  
logged in as the user you originally logged in as.  
  
Consider the user 'test' with the memberid of 4. Here is the relevant  
settings required to spoof this user:  
  
memberid: 4  
membercookie: ' or '' = '  
  
All other cookies should be left alone.  
  
  
You do not need to be logged in to launch this attack, you just need  
to create the above cookies,  
and provide anything for the memberpw cookie (even a - will suffice).  
  
In addition to altering the cookies, if you were to register as a user  
with just a single space as  
the username, you would have the credentials, without the memberpw  
cookie being set. You are  
now able to post as a guest user, while still having the other  
cookies. In addition to this, it is not  
possible to ban by username; the user cannot be found in the admin cp.  
  
  
Cookie poisioning:  
  
If you set you cookies to the following, after logging in:  
  
membercookie: ' or '' = '  
  
Leaving the rest alone, you are able to change everyone's settings.  
This can be done by then  
going to the Member CP and changing anything. The result of this means  
that you are able to  
change everyone's e-mail, signature, location, website, other  
settings, and worst of all, you are  
able to change everyone's password.  
  
  
XSS in membercookie cookie:  
  
Setting the membercookie cookie to be any XSS causes the display forum  
and display topic to  
show the XSS as DeluxeBB trusts the membercookie over the memberid  
which gets passed  
through an intval() in $memberid = @intval($memberid);.  
  
The membercookie looks like this:  
  
membercookie: <script>alert(document.cookie)</script>  
  
You do have to have a valid memberpw and memberid cookie.  
  
  
URL Redirection on login:  
  
In the redirect variable, it is possible to phish a user when they  
attempt to login.  
  
http://www.example.com/deluxebb/misc.php?sub=login&redirect=http://www.badsite.com/  
  
  
Bypass SQL Injection Protection:  
  
There is basic SQL Injection protection on certain variables such as  
login. However, it  
is programmed to be case sensitive, so bypassing the sensitivity can lead to  
SQL Injection.  
  
The protection is an strstr (case-sensitive) on UNION SELECT. Using  
union select instead  
in the protected variables is a simple bypass.  
  
  
SQL Injection:  
  
Due to the way the cookies are used, most of the above attacks  
(authentication bypass, user spoofing, cookie poisoning) allow a basic  
set of SQL injection.  
  
More advanced SQL injection could be possible due to the way the  
cookies are handled. I will  
leave this as an exercise to the reader in order to come up with some  
possible SQL.  
  
  
Pollution of the global namespace:  
  
Due to the following lines, it is possible to use cookies in an  
attempt to overwrite data  
in the $_GET, $_POST, $_SERVER and $_ENV arrays:  
  
$list = array('_GET', '_POST', '_ENV', '_SERVER', '_COOKIE', '_FILES');  
foreach($list as $element) {  
if(!empty($$element) && is_array($$element) ) {  
extract($$element);  
}  
}  
  
This can allow someone to set a COOKIE variable to overwrite the  
previous variables, allowing  
SQL injection and XSS.  
  
  
=======================================================================  
  
Solution  
  
Anyone using DeluxeBB is advised to update to the latest version,  
which at time of writing this is now v1.08  
  
=======================================================================  
  
History:  
  
18th July 2006: Full disclosure  
  
15th July 2006: Vendor released patched version  
  
09th July 2006: Vendor test patch  
  
03rd July 2006: Vendor response  
  
02nd July 2006: Vendor notified  
  
=======================================================================  
  
Credit  
  
This issue is to be credited to Jessica Hope ( jessicasaulhope@googlemail.com )  
and Th3 M0ths (th3.m0ths@gmail.com)  
`