##########################################################
# GulfTech Security Research            June 6th, 2005
##########################################################
# Vendor  : InteractivePHP, Inc
# URL     : http://www.fusionbb.com/
# Version : Version .11 Beta And Earlier
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
FusionBB is a popular online message board written in php and
developed by InteractivePHP, INC. There are several vulnerabilities
in FusionBB such as SQL Injection and Arbitrary Local File Inclusion.
These issues could allow for an attacker to execute arbitrary scripts
residing on the web server, retrieve sensitive data from the underlying
database, or bypass the FusionBB authentication mechanisms.



Local File Inclusion:
Certain values retrieved from cookie data are not properly sanitized.
One of these unsanitized variables is language. This variable is used
to include local language files, so an attacker could change the value
to contain directory traversal sequences, and append the data with a
null byte (e.g. ../../etc/passwd%00) which could allow for arbitrary
local files to be accessed. Additionally an attacker could exploit this
issue to execute arbitrary scripts residing on the web server.



SQL Injection:
There are a couple of SQL Injection issues present in FusionBB, and one
in particular is very dangerous. The first issue comes when registering
an account with the FusionBB software, and will allow an attacker to
influence an insert statement in the insertUser() function. This is due
to the inputted username not being properly sanitized. Unfortunately the
other SQL Injection issue is much more dangerous and allows an attacker
to not only retrieve arbitrary data from the database such as password
information, but the vulnerability will also allow for an attacker to
easily bypass FusionBB authentication as well as access arbitrary user
accounts. The vulnerability presents itself when an attacker enters an
arbitrary statement in their cookie's session id variable.

Cookie: bb_session_id=' or user_id = '1; bb_uid=1;

For example, the above cookie information sent in an HTTP GET Header
would log us in to the user account with an id of 1.



Solution:
This issues has been fixed and updated in the latest release of the
FusionBB software. The official changelog can be viewed here.

http://www.interactivephp.com/misc/CHANGELOG.html

All users should upgrade their installations as soon as possible. A
special thanks to Joshua Pettit for responding to, and resolving the
issues reported here so quickly.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00081-06132005



Credits:
James Bercegay of the GulfTech Security Research Team