=0D
[waraxe-2008-SA#064] - Sql Injection in MyBB 1.2.11=0D
================================================================================0D
=0D
Author: Janek Vind "waraxe"=0D
Date: 21. January 2008=0D
Location: Estonia, Tartu=0D
Web: http://www.waraxe.us/advisory-64.html=0D
=0D
=0D
Target software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
MyBB is a discussion board that has been around for a while; it has evolved=0D
from other bulletin boards into the forum package it is today. Therefore,=0D
it is a professional and efficient discussion board, developed by an active=0D
team of developers.=0D
=0D
Vulnerabilities discovered=0D
================================================================================0D
=0D
1. SQL Injection in "private.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Preconditions:=0D
================0D
a) attacker must have logged in as registered user=0D
b) private message system must be enabled=0D
=0D
Caused by:=0D
================0D
Parameter "disablesmilies" is not sanitized properly before being used in=0D
INSERT sql query.=0D
=0D
Explanation:=0D
================0D
=0D
Let's try this little piece of html code as proof-of-concept:=0D
=0D
[--------------- PoC start -------------------------------------------------]=0D
=0D
=0D
=0D
[------------- PoC end ----------------------------------------------------]=0D
=0D
NB! Parameter "to" must be valid username!=0D
=0D
As result of test we can see sql error message:=0D
=0D
MySQL error: 1136=0D
Column count doesn't match value count at row 1=0D
Query: INSERT INTO mybb_privatemessages (uid, toid, fromid, folder, subject,=0D
icon, message, dateline, status, includesig, smilieoff, receipt, readtime)=0D
VALUES ('1', '1', '1', '1', 'f00subject', '0', 'f00message', '1200579555',=0D
'0', 'no', '',waraxe,'', '0', '0') =0D
=0D
So sql injection security hole exists in INSERT query and in case of mysql=0D
version >= 4.1 by using subselects attacker can fetch arbitrary data from=0D
database, including admin password hash.=0D
=0D
=0D
How to fix:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Download new MyBB version 1.2.12=0D
=0D
Greetings:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, str0ke=0D
and anyone else who know me!=0D
Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!=0D
=0D
Contact:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
come2waraxe@yahoo.com=0D
Janek Vind "waraxe"=0D
=0D
Homepage: http://www.janekvind.com/=0D
Waraxe forum: http://www.waraxe.us/forums.html=0D
=0D
---------------------------------- [ EOF ] --------------------------------=0D