March 04, 2012

New security bug in Chipmunk forum script

Author: tec at 3/04/2012 10:15:00 pm Labels: ,
Chipmunk forum script is still used by a few webmasters (including me) so I'm posting this new security vulnerability here and I request all the owners to patch it ASAP.

The problem lies with a SQL query which updates user's current location on forum.

Query:

UPDATE <prefix>_users SET userwhere = '$_SESSION[user] is viewing thread: $threadTitle' where username = '$_SESSION[user]'

The variable $threadTitle is actually sanitized before storing it in posts table but when it is retrieved, it regains it's original form. Now this retrieved form is used inside query without escaping which can be easily exploited.

Say original thread title was "Happy new year", the stored one would be "Happy new year" and the retrieved one would be "Happy new year".

Now suppose a notorious user has arrived and he tries follow thread title "',status='9',userwhere=userwhere--", then the stored thread title is "Hacked\',status=\'9\',userwhere=userwhere--". This is okay but when it is retrived, it regains it's original form i.e. "Hacked',status='9',userwhere=userwhere--". When this title is used in the query,
the resulting query becomes



UPDATE <prefix>_users SET userwhere = '$_SESSION[user] is viewing thread:',status='9',userwhere=userwhere--' where username = '$_SESSION[user]'

After re-arranging :

UPDATE <prefix>_users SET userwhere = '$_SESSION[user] is viewing thread: '  ,status='9' , userwhere = userwhere--

When this query is executed, all users are upgraded to a status 9 which is owner's status in Chipmunk forum. Similarly user can craft another set of query to do something else. The hacker can also extend this to inject something inside posts or forum.

How to fix it ?

It's easy! Follow the golden rule : Always sanitize a variable before placing it in a query.

// if you use mysqli
$threadTitle = $db->real_escape_string($threadTitle);
// Or if you use Mysql

$threadTitle = mysql_real_escape_string($threadTitle); 

Then proceed with the query

PS: I have not properly explain how to hack for I don't want anymore to hack anything after reading this blog post.

Don't copy my findings and tutorials.
Don't hack someone's forum based on this knowledge.
Contact me if you've issues implementing the fix.  Good luck and Enjoy!

4 comments:

  1. Anonymous28 April 2012 at 19:50

    As u mentioned above
    ',status='9',userwhere=userwhere--
    Is stored as :-
    Hacked\',status=\'9\',userwhere=userwhere--
    then how is it retrieved as :-
    ',status='9',userwhere=userwhere--
    as it is stored as :-
    Hacked\',status=\'9\',userwhere=userwhere--

    ReplyDelete
    Replies
    1. tec28 April 2012 at 20:19

      That's because it's only in the escaped form during storage. It actually gets stored in the original form and hence retrieved in original form.

      For example -> watch this query:

      insert into sometable values ('String','\'escaped\'');

      When this query is executed, the inserted row will look like this:

      -----------------------------
      | String | 'escaped' |
      -----------------------------

      Delete
  2. Anonymous28 April 2012 at 22:15

    Oh!!! Okay I got it... Thank you :)

    ReplyDelete
  3. ravi11 May 2012 at 14:15

    plzz tell me some more code for chipmunk forum kkalbandhe@gmail.com

    ReplyDelete

Subscribe to: Post Comments (Atom)