lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3FC680E1.20563.5632F88@localhost>
Date: Thu, 27 Nov 2003 22:55:29 +0100
From: n.teusink@...net.nl
To: bugtraq@...urityfocus.com
Subject: phpBB 2.06 search.php SQL injection


Hello bugtraq readers,

A vulnerability exists in phpBB 2.06 that could allow an attacker to manipulate SQL 
queries and gain administrative control over the forum.
The search.php script of the application does not sufficiently sanitize the input of the 
"search_id" parameter. As a result of this an attacker could manipulate the SQL 
query the script performs and potentially extract information such as password 
hashes from the database.

Impact
-----------

The impact depends on the database solution in use. When testing the bug with 
MySQL 4 on Apache 2 with PHP4, I was able to obtain my board administrator MD5 
password hash. Armed with this hash an attacker could modify his cookie accordingly 
and log in as administrator without having to decode the hash. The attacker would 
then have complete control over the board and could execute other SQL queries from 
the admin panel.

Patch
-----------

I notified the the phpBB 2.06 developers and they have patched the script. phpBB 
users should download the latest 2.06 version from http://www.phpbb.com
A way to manually fix the issue can be found here: 
http://www.phpbb.com/phpBB/viewtopic.php?t=153818

A simple way to test if the bug is patched is:
http://your_site/phpBB2/search.php?search_id=1\
If patched, this should return the message "No topics or posts met your search 
criteria". If unpatched you will get an SQL error (or just a general error if DEBUG 
mode is off).

Cheers,

Niels Teusink

www.teusink.net


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ