SecurityReason - DeluxeBB mutiple vulnerabilities

Advisory Text :

======================================================================

Advisory : DeluxeBB mutiple vulnerabilities
Release Date : July 18th, 2006
Application : DeluxeBB
Version : Deluxe 1.07 and previous versions
Platform : PHP
Vendor URL : http://www.deluxebb.com/
Authors : Jessica Hope (jessicasaulhope (at) googlemail (dot) com [email
concealed])
: Th3 M0ths (th3.m0ths (at) gmail (dot) com [email concealed])

=======================================================================

Overview

Due to various failures in sanitising user input, it is possible to
construct XSS attacks, SQL injection, authentication bypass, bypassing
of default security checks, user spoofing, cookie poisoning and
pollution of the global namespace.

=======================================================================

Discussion

Authentication bypass:

It is possible for an attacker to become any user he or she wishes by
creating a set of fake cookies. Consider the admin with memberid of 1
and the name 'admin'. Here is the relevant settings required to become
this user:

membercookie: admin
memberid: 1
memberpw: ' or '' = '

The exploit works because the SQL query done looks something like this:
SELECT * FROM deluxebb_users WHERE (uid='1' && username='admin' &&
pass='' or '' = '')

There are limits imposed on the memberpw, it must be shorter than 33
characters.
However, memberpw should only contain the MD5 sum of your password
(something that should actually be changed, but that is a different section
of
this report).

User spoofing:

It is possible to post as any other user without having to totally
become that user. The method
is nearly the same as above, except you do not need to alter the
password cookie. You will remain
logged in as the user you originally logged in as.

Consider the user 'test' with the memberid of 4. Here is the relevant
settings required to spoof this user:

memberid: 4
membercookie: ' or '' = '

All other cookies should be left alone.

You do not need to be logged in to launch this attack, you just need
to create the above cookies,
and provide anything for the memberpw cookie (even a - will suffice).

In addition to altering the cookies, if you were to register as a user
with just a single space as
the username, you would have the credentials, without the memberpw
cookie being set. You are
now able to post as a guest user, while still having the other
cookies. In addition to this, it is not
possible to ban by username; the user cannot be found in the admin cp.

Cookie poisioning:

If you set you cookies to the following, after logging in:

membercookie: ' or '' = '

Leaving the rest alone, you are able to change everyone's settings.
This can be done by then
going to the Member CP and changing anything. The result of this means
that you are able to
change everyone's e-mail, signature, location, website, other
settings, and worst of all, you are
able to change everyone's password.

XSS in membercookie cookie:

Setting the membercookie cookie to be any XSS causes the display forum
and display topic to
show the XSS as DeluxeBB trusts the membercookie over the memberid
which gets passed
through an intval() in $memberid = @intval($memberid);.

The membercookie looks like this:

membercookie: <script>alert(document.cookie)</script>

You do have to have a valid memberpw and memberid cookie.

URL Redirection on login:

In the redirect variable, it is possible to phish a user when they
attempt to login.

http://www.example.com/deluxebb/misc.php?sub=login&redirect=http://www.b
adsite.com/

Bypass SQL Injection Protection:

There is basic SQL Injection protection on certain variables such as
login. However, it
is programmed to be case sensitive, so bypassing the sensitivity can lead
to
SQL Injection.

The protection is an strstr (case-sensitive) on UNION SELECT. Using
union select instead
in the protected variables is a simple bypass.

SQL Injection:

Due to the way the cookies are used, most of the above attacks
(authentication bypass, user spoofing, cookie poisoning) allow a basic
set of SQL injection.

More advanced SQL injection could be possible due to the way the
cookies are handled. I will
leave this as an exercise to the reader in order to come up with some
possible SQL.

Pollution of the global namespace:

Due to the following lines, it is possible to use cookies in an
attempt to overwrite data
in the $_GET, $_POST, $_SERVER and $_ENV arrays:

$list = array('_GET', '_POST', '_ENV', '_SERVER', '_COOKIE', '_FILES');
foreach($list as $element) {
if(!empty($$element) && is_array($$element) ) {
extract($$element);
}
}

This can allow someone to set a COOKIE variable to overwrite the
previous variables, allowing
SQL injection and XSS.

=======================================================================

Solution

Anyone using DeluxeBB is advised to update to the latest version,
which at time of writing this is now v1.08

=======================================================================

History:

18th July 2006: Full disclosure

15th July 2006: Vendor released patched version

09th July 2006: Vendor test patch

03rd July 2006: Vendor response

02nd July 2006: Vendor notified

=======================================================================

Credit

This issue is to be credited to Jessica Hope ( jessicasaulhope (at)
googlemail (dot) com [email concealed] )
and Th3 M0ths (th3.m0ths (at) gmail (dot) com [email concealed])