-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: UseBB Multiple Vulnerabilities
 Release Date: 2005/07/28
Last Modified: 2005/07/28
       Author: Stefan Esser <s.esser@hardened-php.net>
  Application: UseBB <= 0.5.1
     Severity: Multiple SQL injection and XSS vulnerabilities may
               result in disclosure of administrators credentials.
         Risk: High
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory_122005.60.html


Overview:

   UseBB, the easy to set up and easy to use PHP and MySQL based forum 
   package, distributed freely under the GPL license. It is being built
   by a team of voluntary developers from all over the world, for use 
   on small to medium sized websites which need a clear and efficient 
   forum package.
   
   By accident we stumbled over UseBB and audited it, because we have
   never seen a PHP forum system that is free of vulnerabilities.
   During our work, we have discovered two 2 holes that were not yet
   fixed in the CVS and may allow compromising user accounts.
   
   One of the vulnerabilities is a XSS vulnerability that is only
   exploitable in Internet Explorer and the other one is a SQL 
   injection vulnerability that requires magic_quotes_gpc turned off
   to be exploitable, which is the recommended setting.
   
   
Details:
   
   An audit of UseBB revealed that the code is actually one of the 
   better pieces of PHP webapplications, although it uses the not 
   recommended magic_quotes_runtime feature.. The authors always try
   to initialise their variables correctly and whenever possible they
   filter user input before using it.
   
   However we were able to find two glitches in their code. The first 
   one is in the handling of the color BBCode. The color value is not 
   filtered and therefore it is possible for an attacker to inject 
   arbitrary stylesheet information for the resulting <span> tag. 
   Within Internet Explorer this will allow Javascript execution 
   through f.e. through a call of the expression() function.
   
   The other problem is located in the way the magic_quotes_gpc=Off 
   emulation is implemented. When the feature is deactivated, which is 
   the recommended setting, _GET, _POST and _COOKIE are automatically 
   addslashed(). Unfortunately _REQUEST is not automatically and 
   therefore the search function of the forum, which is the only
   place where _REQUEST is used, is not protected at all against any
   kind of SQL injection, when magic_quotes_gpc is turned off.
   
   Both vulnerabilities could result in disclosure of arbitrary
   user credentials.
   
      
Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit 
   for this vulnerability to the public.
      

Disclosure Timeline:

   27. July 2005 - Vendor informed.
   27. July 2005 - Vendor has released updated version.
   28. July 2005 - Public disclosure.


Recommendation:

   We strongly recommend installing the updated version, 0.5.1a, 
   which is available from the vendor's homepage, www.usebb.net.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser / Hardened PHP Project. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFC6VkdRDkUzAqGSqERAk2WAJ4ug+jsaGUS422U8vF3OSV/DfrOMACg05Ja
7xlU/Xg9j4J3JIayMEGkBXQ=
=2IYe
-----END PGP SIGNATURE-----