[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SQL Injection vulnerabilities in Subdreamer CMS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SQL Injection vulnerabilities in Subdreamer CMS
From: itweb@xxxxxxxx
Date: 20 Aug 2009 16:19:28 -0000

Background information:


This report applies to Subdreamer newest stable release, 2.5.3.2 hotfix#5.

Subdreamer is a content management system, which is written in PHP and uses 
MySQL as its database backend. Subdreamer's home page is 
http://www.subdreamer.com

Subdreamer can be integrated with different forum software, so that login 
authentication & authorization information can be used in the CMS too.

Vulnerability description:


There are vulnerabilities in two integration modules in Subdreamer. Both 
Invision Power Board 2 and phpBB3 integration modules have this vulnerability.

Both bulletin board systems store browser user-agent string in the sessions 
table used to track currently logged in users.

The user-agent string is passed as-is from HTTP headers without any validation 
/ escaping. This opens up a possibility for SQL Injection attacks.


Possible exploits:

I haven't found a way to directly exploit this vulnerability to access the 
database.

However, an indirect DoS attack is possible.

The default setting for "Send Database Errors by Email" is "On" in Subdreamer. 
This means that every time an error occurs in SQL processing, an E-Mail is sent 
to the website administrator.

Now, inserting ' in the User-agent string causes an SQL error, and therefore 
causes an error message to be sent to the administrator. This means that the 
administrator E-Mail can be flooded with error messages via this vulnerability.

How to fix:

PHPBB3:

On line 701 of includes/usersystems/phpbb3.php, the original code looks like 
this:

      $session['session_ip'], $session['session_browser'], 
$session['session_page'], $session['session_viewonline'],

The code should be replaced with:

      $session['session_ip'], $DB->escape_string($session['session_browser']), 
$session['session_page'], $session['session_viewonline'],

IPB2:

On line 215 in includes/usersystems/ipb2.php, the original line looks like this:

      $DB->escape_string($session['ip_address']), $session['browser'],

This has to be replaced by:

      $DB->escape_string($session['ip_address']), 
$DB->escape_string($session['browser']),


Vendor reaction:

A notification about IPB2 vulnerability was sent to vendor on 2008-12-15, and 
they confirmed that they had received the report on 2008-12-16. The bug hasn't 
been fixed in the current version.

A notification about phpBB3 vulnerability was sent to vendor a few months ago. 
There was no reaction to the report. The bug still exists in the current 
released version.


Tero Kilkanen

Prev by Date: t2?09 Challenge - Free Tickets Available
Next by Date: [ MDVSA-2009:208 ] libgadu
Previous by thread: t2?09 Challenge - Free Tickets Available
Next by thread: Re: SQL Injection vulnerabilities in Subdreamer CMS
Index(es):
- Date
- Thread