Vanilla Forums 2.0.18 / SQL-Injection / Insert arbitrary user & dump usertable

Share on Facebook6Share on Google+1Email this to someoneShare on TumblrTweet about this on Twitter0Share on LinkedIn0Pin on Pinterest0

Product Name:

Vanilla Forums

Vulnerable Version:

Up to vanilla-core-2-0-18-4

Tested on:

Windows Server 2003
Apache 2.4.3
PHP 5.4.7
MySQL 5.5.27

Vulnerability Overview:

SQL-Injection is possible, because$_POST arrays are not proper sanitized.
You do not need to be authenticated.

 Vulnerability Details:

To insert an arbitrary user, a sample HTTP-Post Request looks as follows:

Indeed you has to take care of the proper encryption algorithm which is currently used.

As it is not possible to get the user table displayed on the website, you could establish an attack as follows:

Update Link:


This vulnerability was discovered by Michael Schratt
Mail: mail @ mfs-enterprise . com
Twitter: @bl4ckw0rm


Mar 28, 2013 – Discovered vulnerability
Mar 28, 2013 – Contacted vanilla forums and asked for security contact
Mar 28, 2013 – Vanilla Forums responded
Mar 28, 2013 – Transfered vulnerability details
Apr 02, 2013 – Requested update
Apr 04, 2013 – Requested update
Apr 05, 2013 – Patch released
Apr 05, 2013 – Public advisory released

Posted in // Programming, // Web Security and tagged , , , , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

Current ye@r *