########################################################## # GulfTech Security Research June 6th, 2005 ########################################################## # Vendor : InteractivePHP, Inc # URL : http://www.fusionbb.com/ # Version : Version .11 Beta And Earlier # Risk : Multiple Vulnerabilities ########################################################## Description: FusionBB is a popular online message board written in php and developed by InteractivePHP, INC. There are several vulnerabilities in FusionBB such as SQL Injection and Arbitrary Local File Inclusion. These issues could allow for an attacker to execute arbitrary scripts residing on the web server, retrieve sensitive data from the underlying database, or bypass the FusionBB authentication mechanisms. Local File Inclusion: Certain values retrieved from cookie data are not properly sanitized. One of these unsanitized variables is language. This variable is used to include local language files, so an attacker could change the value to contain directory traversal sequences, and append the data with a null byte (e.g. ../../etc/passwd%00) which could allow for arbitrary local files to be accessed. Additionally an attacker could exploit this issue to execute arbitrary scripts residing on the web server. SQL Injection: There are a couple of SQL Injection issues present in FusionBB, and one in particular is very dangerous. The first issue comes when registering an account with the FusionBB software, and will allow an attacker to influence an insert statement in the insertUser() function. This is due to the inputted username not being properly sanitized. Unfortunately the other SQL Injection issue is much more dangerous and allows an attacker to not only retrieve arbitrary data from the database such as password information, but the vulnerability will also allow for an attacker to easily bypass FusionBB authentication as well as access arbitrary user accounts. The vulnerability presents itself when an attacker enters an arbitrary statement in their cookie's session id variable. Cookie: bb_session_id=' or user_id = '1; bb_uid=1; For example, the above cookie information sent in an HTTP GET Header would log us in to the user account with an id of 1. Solution: This issues has been fixed and updated in the latest release of the FusionBB software. The official changelog can be viewed here. http://www.interactivephp.com/misc/CHANGELOG.html All users should upgrade their installations as soon as possible. A special thanks to Joshua Pettit for responding to, and resolving the issues reported here so quickly. Related Info: The original advisory can be found at the following location http://www.gulftech.org/?node=research&article_id=00081-06132005 Credits: James Bercegay of the GulfTech Security Research Team