Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

FusionBB Multiple Vulnerabilities

from [GulfTech Security Research] Network Security [Permanent Link]
Subject: FusionBB Multiple Vulnerabilities
Date: Mon, 13 Jun 2005 13:14:21 -0500 
##########################################################
# GulfTech Security Research            June 6th, 2005
##########################################################
# Vendor  : InteractivePHP, Inc
# URL     : http://www.fusionbb.com/
# Version : Version .11 Beta And Earlier
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
FusionBB is a popular online message board written in php and
developed by InteractivePHP, INC. There are several vulnerabilities
in FusionBB such as SQL Injection and Arbitrary Local File Inclusion.
These issues could allow for an attacker to execute arbitrary scripts
residing on the web server, retrieve sensitive data from the underlying
database, or bypass the FusionBB authentication mechanisms.



Local File Inclusion:
Certain values retrieved from cookie data are not properly sanitized.
One of these unsanitized variables is language. This variable is used
to include local language files, so an attacker could change the value
to contain directory traversal sequences, and append the data with a
null byte (e.g. ../../etc/passwd%00) which could allow for arbitrary
local files to be accessed. Additionally an attacker could exploit this
issue to execute arbitrary scripts residing on the web server.



SQL Injection:
There are a couple of SQL Injection issues present in FusionBB, and one
in particular is very dangerous. The first issue comes when registering
an account with the FusionBB software, and will allow an attacker to
influence an insert statement in the insertUser() function. This is due
to the inputted username not being properly sanitized. Unfortunately the
other SQL Injection issue is much more dangerous and allows an attacker
to not only retrieve arbitrary data from the database such as password
information, but the vulnerability will also allow for an attacker to
easily bypass FusionBB authentication as well as access arbitrary user
accounts. The vulnerability presents itself when an attacker enters an
arbitrary statement in their cookie's session id variable.

Cookie: bb_session_id=' or user_id = '1; bb_uid=1;

For example, the above cookie information sent in an HTTP GET Header
would log us in to the user account with an id of 1.



Solution:
This issues has been fixed and updated in the latest release of the
FusionBB software. The official changelog can be viewed here.

http://www.interactivephp.com/misc/CHANGELOG.html

All users should upgrade their installations as soon as possible. A
special thanks to Joshua Pettit for responding to, and resolving the
issues reported here so quickly.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00081-06132005



Credits:
James Bercegay of the GulfTech Security Research Team

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • FusionBB Multiple Vulnerabilities, GulfTech Security Research <=
Previous by Date:  MDKSA-2005:099 - Updated gaim packages fix more vulnerabilities, Mandriva Security Team
Next by Date:  Re: Bluetooth SIG Denial of Service vulnerability, Joshua Davis
Previous by Thread:  MDKSA-2005:099 - Updated gaim packages fix more vulnerabilities, Mandriva Security Team
Next by Thread:  Bluetooth dot dot attacks (update), KF (lists)
Indexes:  [Date] [Thread] [Top] [All Lists]