Simple Machines Forum SQL Injection
Vendor: Lewis Media
Product: Simple Machines Forum
Version: <= 1.0.4
BID: 14043
OSVDB: 17458
SECUNIA: 15784
SMF or Simple Machines Forum as it is probably better known as is a very popular forum system, and developed by members of the YaBB SE development team. Simple Machine Forums versions prior to the recently released 1.0.5 are vulnerable to a very serious SQL Injection hole, as well as a more obscure, harder to exploit SQL Injection hole. Both vulnerabilities have been resolved and users should upgrade to the latest version of SMF immediately.

SQL Injection:
The first SQL Injection I will discuss is not very easy exploitable by default conditions, but I will talk about it anyway. Let's have a look at the vulnerable code in question. Search.php @ line 543
elseif (!$use_cache || $numResults <= $modSettings['search_results_per_page'])
$sort = array();
$request = db_query("
		t.ID_TOPIC, COUNT(m.ID_MSG) AS numMsg, MAX(m.ID_MSG) AS lastMatch, 
		MIN(m.ID_MSG) AS firstMatch,
		COUNT(m.ID_MSG) AS num_matches
	FROM {$db_prefix}topics AS t
		LEFT JOIN {$db_prefix}messages AS m ON (m.ID_TOPIC = t.ID_TOPIC AND 
		$searchQuery)" . (empty($userQuery) ? '
	WHERE t.ID_TOPIC IN (' . implode(', ', array_keys($matchingTopics)) . ')' : "
	WHERE $userQuery
		AND t.ID_TOPIC IN (" . implode(', ', array_keys($matchingTopics)) . ")") . "
	LIMIT $_REQUEST[start], $modSettings[search_results_per_page]",
	 __FILE__, __LINE__);
$tmp = array();
while ($row = mysql_fetch_assoc($request))

$_REQUEST[start] clearly comes after the LIMIT is given, but because we don't use ORDER BY we can still use UNION functionality! The other SQL Injection issue is far more serious and will allow an attacker to easily retrieve arbitrary data from the database. The other vulnerability is in the function getTopic()
// If you're modifying, get only those posts before the current one.
$request = db_query("
SELECT IFNULL(mem.realName, m.posterName) AS posterName, m.posterTime, m.body, 
m.smileysEnabled, m.ID_MSG
FROM {$db_prefix}messages AS m
    LEFT JOIN {$db_prefix}members AS mem ON (mem.ID_MEMBER = m.ID_MEMBER)
WHERE m.ID_TOPIC = $topic" . (isset($_REQUEST['msg']) ? "
    AND m.ID_MSG < $_REQUEST[msg]" : '') . "
ORDER BY m.ID_MSG DESC" . ($modSettings['topicSummaryPosts'] >= 0 ? '
LIMIT ' . (int) $modSettings['topicSummaryPosts'] : ''), __FILE__, __LINE__); 

As we can see $_REQUEST[msg] is never sanitized and placed right in the middle of a SELECT making it highly exploitable.


The above example would dump the entire database username and passwords into the comments area when editing a post. This vuln is very dangerous!

The SMF guys were very prompt in both their response and their release of a patched version. All users should upgrade now!

James Bercegay of the GulfTech Security Research Team