Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
FusionBB Multiple Vulnerabilities
Vendor: InteractivePHP, Inc
Product: FusionBB
Version: <= 0.10 Beta
Website: http://www.fusionbb.com/
BID: 13939
CVE: CVE-2005-1971 CVE-2005-1972
OSVDB: 17432 17433
PACKETSTORM: 38166
Description:
FusionBB is a popular online message board written in php and developed by InteractivePHP, INC. There are several vulnerabilities in FusionBB such as SQL Injection and Arbitrary Local File Inclusion. These issues could allow for an attacker to execute arbitrary scripts residing on the web server, retrieve sensitive data from the underlying database, or bypass the FusionBB authentication mechanisms.


Local File Inclusion:
Certain values retrieved from cookie data are not properly sanitized. One of these unsanitized variables is language. This variable is used to include local language files, so an attacker could change the value to contain directory traversal sequences, and append the data with a null byte (e.g. ../../etc/passwd%00) which could allow for arbitrary local files to be accessed. Additionally an attacker could exploit this issue to execute arbitrary scripts residing on the web server.


SQL Injection:
There are a couple of SQL Injection issues present in FusionBB, and one in particular is very dangerous. The first issue comes when registering an account with the FusionBB software, and will allow an attacker to influence an insert statement in the insertUser() function. This is due to the inputted username not being properly sanitized. Unfortunately the other SQL Injection issue is much more dangerous and allows an attacker to not only retrieve arbitrary data from the database such as password information, but the vulnerability will also allow for an attacker to easily bypass FusionBB authentication as well as access arbitrary user accounts. The vulnerability presents itself when an attacker enters an arbitrary statement in their cookie's session id variable.

Cookie: bb_session_id=' or user_id = '1; bb_uid=1;

For example, the above cookie information sent in an HTTP GET Header would log us in to the user account with an id of 1.


Solution:
This issues has been fixed and updated in the latest release of the FusionBB software. The official changelog can be viewed here.

http://www.interactivephp.com/misc/CHANGELOG.html

All users should upgrade their installations as soon as possible. A special thanks to Joshua Pettit for responding to, and resolving the issues reported here so quickly.


Credits:
James Bercegay of the GulfTech Security Research Team