waraxe-2008-SA069.txt

`  
[waraxe-2008-SA#069] - Multiple Sql Injection in vBulletin 3.7.4  
===============================================================================  
  
Author: Janek Vind "waraxe"  
Date: 17. November 2008  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-69.html  
  
  
Description of vulnerable software:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
vBulletin (abbreviated as vB) is a commercial Internet forum software produced  
by Jelsoft Enterprises. It is written in PHP using a MySQL database server.  
vBulletin is a professional, affordable community forum solution. Thousands of  
clients, including many industry leading blue chip companies, have chosen  
vBulletin - It's the ideal choice for any size of community.  
  
Web: http://www.vbulletin.com/  
  
  
List of found vulnerabilities  
===============================================================================  
  
1. Sql Injection in "admincp/verify.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Impact: low  
Preconditions: attacker must have admin account with Human Verification Manager  
administer privileges  
  
  
[---------- source code snippet start ----------]  
if ($_POST['do'] == 'updateanswer')  
{  
$vbulletin->input->clean_array_gpc('p', array(  
'answer' => TYPE_STR,  
));  
..  
$db->query_write("  
UPDATE " . TABLE_PREFIX . "hvanswer  
SET answer = '" . $vbulletin->GPC['answer'] . "'  
WHERE answerid = " . $vbulletin->GPC['answerid']  
);  
[----------- source code snippet end -----------]  
  
It appears, that user submitted parameter "answer" is not properly sanitized  
before using in sql query. As result sql injection is possible. Test will   
induce sql error message:  
  
Invalid SQL:  
UPDATE vb_hvanswer  
SET answer = 'war'axe'  
WHERE answerid = 1;  
  
  
2. Sql Injection in "admincp/attachmentpermission.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Impact: low  
Preconditions: attacker must have admin account with Attachment Permissions  
Manager administer privileges  
  
As in previous case, user submitted parameter, this time it's "extension", is  
used in sql query without proper snaitization. This results sql injection   
vulnerability. For test log in as admin with needed privileges and then issue  
GET request (using proper URI instead if example):  
  
http://localhost/vbulletin374/admincp/attachmentpermission.php?do=edit&extension=war'axe  
  
This results with error message from vBulletin:  
  
Database error in vBulletin 3.7.4:  
Invalid SQL:  
  
SELECT size, width, height  
FROM attachmenttype  
WHERE extension = 'war'axe';  
  
  
3. Sql Injection in "admincp/image.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Impact: low  
Preconditions: attacker must have admin account with Avatars administer privileges  
  
[---------- source code snippet start ----------]  
if ($_POST['do'] == 'updatepermissions')  
{  
$vbulletin->input->clean_array_gpc('p', array(  
'iperm' => TYPE_ARRAY,  
'imagecategoryid' => TYPE_INT  
));  
..  
foreach($vbulletin->GPC['iperm'] AS $usergroupid => $canuse)  
{  
if ($canuse == 0)  
{  
$db->query_write("  
INSERT INTO " . TABLE_PREFIX . "imagecategorypermission  
(  
imagecategoryid,  
usergroupid  
)  
VALUES  
(  
" . $vbulletin->GPC['imagecategoryid'] . ",  
$usergroupid  
)  
[----------- source code snippet end -----------]  
  
User-submitted array "iperm" is used in sql query without proper sanitization.  
This results in sql injection. Testing ends with error message:  
  
MySQL Error : Unknown column 'waraxe' in 'field list'  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Waraxe forum: http://www.waraxe.us/forums.html  
Personal homepage: http://www.janekvind.com/  
Php shell (work in progress): http://phpaxe.com/  
---------------------------------- [ EOF ] ---------------------------------  
`