| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Mar 2004 02:32:20 +0800 From: pokley <pokleyzz@...n-associates.net> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com> Cc: "tech@...n-associates.net" <tech@...n-associates.net> Subject: [SCAN Associates Sdn Bhd Security Advisory] phpBB 2.0.6 and below sql injection Products: phpBB 2.0.6 and below (http://www.phpbb.com) Found date: 4 January 2004 Publish date: 15 March 2004 Author: pokleyzz <pokleyzz_at_scan-associates.net> Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net Summary: phpBB 2.0.6 and below sql injection. Description =========== phpBB is a high powered, fully scalable, and highly customisable open-source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.(from phpbb.com) Details ======= We have found sql injection vulnerabilities in phpBB which is exploitable when register_global is set to "On" in php configuration. SQL Injection in search.php --------------------------- There is SQL injection in $search_results variable when performing search in phpBB on line 711 when $show_results variable not set to 'posts' or 'topics'. $sql = "SELECT t.*, f.forum_id, f.forum_name, u.username, u.user_id, u2.username as user2, u2.user_id as id2, p.post_username, p2.post_username AS post_username2, p2.post_time FROM " . TOPICS_TABLE . " t, " . FORUMS_TABLE . " f, " . USERS_TABLE . " u, " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2, " . USERS_TABLE . " u2 WHERE t.topic_id IN ($search_results) AND t.topic_poster = u.user_id AND f.forum_id = t.forum_id AND p.post_id = t.topic_first_post_id AND p2.post_id = t.topic_last_post_id AND u2.user_id = p2.poster_id"; One of the table which is selected in this "SELECT" query is users table. This can be use to determine admin hash by guesting whether certain query is true or false with search result for MySQL 3. With autologin feature in phpbb attacker can generate cookies to login to phpBB without need to crack the password. Quick Solution -------------- Turn Off register_global in php.ini. Proof of concept ---------------- [http://www.scan-associates.net/papers/gemuruh-v2.php.txt] Vendor Response =============== 5 February 2004 : security@...bb.com have been contacted but no response given. - Happy Birthday faradingdong :-)- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists