Background information:


This report applies to Subdreamer newest stable release, 2.5.3.2 hotfix#5.

Subdreamer is a content management system, which is written in PHP and uses MySQL as its database backend. Subdreamer's home page is http://www.subdreamer.com

Subdreamer can be integrated with different forum software, so that login authentication & authorization information can be used in the CMS too.

Vulnerability description:


There are vulnerabilities in two integration modules in Subdreamer. Both Invision Power Board 2 and phpBB3 integration modules have this vulnerability.

Both bulletin board systems store browser user-agent string in the sessions table used to track currently logged in users.

The user-agent string is passed as-is from HTTP headers without any validation / escaping. This opens up a possibility for SQL Injection attacks.


Possible exploits:

I haven't found a way to directly exploit this vulnerability to access the database.

However, an indirect DoS attack is possible.

The default setting for "Send Database Errors by Email" is "On" in Subdreamer. This means that every time an error occurs in SQL processing, an E-Mail is sent to the website administrator.

Now, inserting ' in the User-agent string causes an SQL error, and therefore causes an error message to be sent to the administrator. This means that the administrator E-Mail can be flooded with error messages via this vulnerability.

How to fix:

PHPBB3:

On line 701 of includes/usersystems/phpbb3.php, the original code looks like this:

      $session['session_ip'], $session['session_browser'], $session['session_page'], $session['session_viewonline'],

The code should be replaced with:

      $session['session_ip'], $DB->escape_string($session['session_browser']), $session['session_page'], $session['session_viewonline'],

IPB2:

On line 215 in includes/usersystems/ipb2.php, the original line looks like this:

      $DB->escape_string($session['ip_address']), $session['browser'],

This has to be replaced by:

      $DB->escape_string($session['ip_address']), $DB->escape_string($session['browser']),


Vendor reaction:

A notification about IPB2 vulnerability was sent to vendor on 2008-12-15, and they confirmed that they had received the report on 2008-12-16. The bug hasn't been fixed in the current version.

A notification about phpBB3 vulnerability was sent to vendor a few months ago. There was no reaction to the report. The bug still exists in the current released version.


Tero Kilkanen