vBulletin 'admincp/verify.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1183584 漏洞类型 SQL注入
发布时间 2008-11-18 更新时间 2009-03-06
CVE编号 CVE-2008-6255 CNNVD-ID CNNVD-200902-533
漏洞平台 N/A CVSS评分 6.5
|漏洞来源
https://www.securityfocus.com/bid/32349
https://cxsecurity.com/issue/WLB-2009020265
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-533
|漏洞详情
vBulletin3.7.4版本中存在多个SQL注入漏洞。远程认证管理员可以借助(1)对admincp/verify.php的answer参数,(2)一个编辑操作中对admincp/attachmentpermission.php的扩展名参数,(3)对admincp/image.php的iperm参数执行任意SQL指令。
|漏洞EXP

[waraxe-2008-SA#069] - Multiple Sql Injection in vBulletin 3.7.4
========================================================================
=======

Author: Janek Vind "waraxe"
Date: 17. November 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-69.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

vBulletin (abbreviated as vB) is a commercial Internet forum software produced
by Jelsoft Enterprises. It is written in PHP using a MySQL database server.
vBulletin is a professional, affordable community forum solution. Thousands of
clients, including many industry leading blue chip companies, have chosen
vBulletin - It's the ideal choice for any size of community.

Web: http://www.vbulletin.com/

List of found vulnerabilities
========================================================================
=======

1. Sql Injection in "admincp/verify.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Impact: low
Preconditions: attacker must have admin account with Human Verification Manager
administer privileges

[---------- source code snippet start ----------]
if ($_POST['do'] == 'updateanswer')
{
	$vbulletin->input->clean_array_gpc('p', array(
		'answer' => TYPE_STR,
	));
..
$db->query_write("
	UPDATE " . TABLE_PREFIX . "hvanswer
	SET answer = '" . $vbulletin->GPC['answer'] . "'
	WHERE answerid = " . $vbulletin->GPC['answerid']
);
[----------- source code snippet end -----------]

It appears, that user submitted parameter "answer" is not properly sanitized
before using in sql query. As result sql injection is possible. Test will 
induce sql error message:

Invalid SQL:
	UPDATE vb_hvanswer
	SET answer = 'war'axe'
	WHERE answerid = 1;

2. Sql Injection in "admincp/attachmentpermission.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~

Impact: low
Preconditions: attacker must have admin account with Attachment Permissions
Manager administer privileges

As in previous case, user submitted parameter, this time it's "extension", is
used in sql query without proper snaitization. This results sql injection 
vulnerability. For test log in as admin with needed privileges and then issue
GET request (using proper URI instead if example):

http://localhost/vbulletin374/admincp/attachmentpermission.php?do=edit&e
xtension=war'axe

This results with error message from vBulletin:

Database error in vBulletin 3.7.4:
Invalid SQL:

SELECT size, width, height
	FROM attachmenttype
	WHERE extension = 'war'axe';

3. Sql Injection in "admincp/image.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~

Impact: low
Preconditions: attacker must have admin account with Avatars administer privileges

[---------- source code snippet start ----------]
if ($_POST['do'] == 'updatepermissions')
{
	$vbulletin->input->clean_array_gpc('p', array(
		'iperm'           => TYPE_ARRAY,
		'imagecategoryid' => TYPE_INT
	));
..
foreach($vbulletin->GPC['iperm'] AS $usergroupid => $canuse)
{
	if ($canuse == 0)
	{
		$db->query_write("
			INSERT INTO " . TABLE_PREFIX . "imagecategorypermission
			(
				imagecategoryid,
				usergroupid
			)
			VALUES
			(
				" . $vbulletin->GPC['imagecategoryid'] . ",
				$usergroupid
			)
[----------- source code snippet end -----------]

User-submitted array "iperm" is used in sql query without proper sanitization.
This results in sql injection. Testing ends with error message:

MySQL Error   : Unknown column 'waraxe' in 'field list'

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~

come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Php shell (work in progress): http://phpaxe.com/
---------------------------------- [ EOF ] ---------------------------------
|受影响的产品
VBulletin VBulletin 3.7.4
|参考资料

来源:XF
名称:vbulletin-answer-extension-sql-injection(46682)
链接:http://xforce.iss.net/xforce/xfdb/46682
来源:MISC
链接:http://www.waraxe.us/advisory-69.html
来源:BUGTRAQ
名称:20081117[waraxe-2008-SA#069]-MultipleSqlInjectioninvBulletin3.7.4
链接:http://www.securityfocus.com/archive/1/archive/1/498390/100/0/threaded
来源:SECUNIA
名称:32775
链接:http://secunia.com/advisories/32775