An authentication vulnerability was reported in the WoltLab Burning Board web forum software. A remote user may be able to hijack a newly registered user account.
It is reported that WoltLab Burning Board (wBB) uses predictable or guessable temporary passwords when it creates a new user account. If another user has requested a new account but has not yet activated the registration, the user’s account may be hijacked.
To determine how many users exist on the forum, a remote user can register for a new account. The remote user will receive a confirmation e-mail that contains the following type of URL to activate the account:
http://forum.dom/forum/action.php?action=activation&userid=345&code=1563109322
|
In the above example, it is shown that any subsequent user will be assigned userid of 346 or higher. So, a remote user can attempt to guess the ‘code’ for any subsequent user. According to the report, the wBB software uses the date to seed a function that will generate only a limited number of codes (possibly 30 integer words). So, a remote user can feasibly conduct a brute force guessing attack to guess the proper code for a newly assigned user account.
A demonstration exploit that will apparently generate all of the possible codes is provided:
for($i=0; $i<60; $i++)
{
mt_srand($i);
echo mt_rand()."<BR>";
}
|
Solution:
No solution was available at the time of this entry.
More to read: Password Security and Storage