Advisory 12/2005: UseBB Multiple Vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened PHP Project
www.hardened-php.net

-= Security Advisory =-


Advisory: UseBB Multiple Vulnerabilities
Release Date: 2005/07/28
Last Modified: 2005/07/28
Author: Stefan Esser <s.esser@hardened-php.net>
Application: UseBB <= 0.5.1
Severity: Multiple SQL injection and XSS vulnerabilities may
result in disclosure of administrators credentials.
Risk: High
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_122005.60.html


Overview:

UseBB, the easy to set up and easy to use PHP and MySQL based forum
package, distributed freely under the GPL license. It is being built
by a team of voluntary developers from all over the world, for use
on small to medium sized websites which need a clear and efficient
forum package.

By accident we stumbled over UseBB and audited it, because we have
never seen a PHP forum system that is free of vulnerabilities.
During our work, we have discovered two 2 holes that were not yet
fixed in the CVS and may allow compromising user accounts.

One of the vulnerabilities is a XSS vulnerability that is only
exploitable in Internet Explorer and the other one is a SQL
injection vulnerability that requires magic_quotes_gpc turned off
to be exploitable, which is the recommended setting.


Details:

An audit of UseBB revealed that the code is actually one of the
better pieces of PHP webapplications, although it uses the not
recommended magic_quotes_runtime feature.. The authors always try
to initialise their variables correctly and whenever possible they
filter user input before using it.

However we were able to find two glitches in their code. The first
one is in the handling of the color BBCode. The color value is not
filtered and therefore it is possible for an attacker to inject
arbitrary stylesheet information for the resulting <span> tag.
Within Internet Explorer this will allow Javascript execution
through f.e. through a call of the expression() function.

The other problem is located in the way the magic_quotes_gpc=Off
emulation is implemented. When the feature is deactivated, which is
the recommended setting, _GET, _POST and _COOKIE are automatically
addslashed(). Unfortunately _REQUEST is not automatically and
therefore the search function of the forum, which is the only
place where _REQUEST is used, is not protected at all against any
kind of SQL injection, when magic_quotes_gpc is turned off.

Both vulnerabilities could result in disclosure of arbitrary
user credentials.


Proof of Concept:

The Hardened-PHP Project is not going to release an exploit
for this vulnerability to the public.


Disclosure Timeline:

27. July 2005 - Vendor informed.
27. July 2005 - Vendor has released updated version.
28. July 2005 - Public disclosure.


Recommendation:

We strongly recommend installing the updated version, 0.5.1a,
which is available from the vendor's homepage, www.usebb.net.


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser / Hardened PHP Project. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFC6VkdRDkUzAqGSqERAk2WAJ4ug+jsaGUS422U8vF3OSV/DfrOMACg05Ja
7xlU/Xg9j4J3JIayMEGkBXQ=
=2IYe
-----END PGP SIGNATURE-----
© Hardened PHP Project