lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 28 Nov 2003 23:25:50 +0100
From: n.teusink@...net.nl
To: bugtraq@...urityfocus.com
Subject: Re: phpBB 2.06 search.php SQL injection


An exploit has been released by bugtraq by some other group, the issue is 
unfortunately not minor... As the exploit shows, the trick is to mimic a search_array.
I was planning on releasing more technical details later, when everybody had a 
chance to patch his/her forum.

About my test URL, you are absolutely right, the test url does not work. This is 
because in my original mail, the test url was:
http://your_site/phpBB2/search.php?search_id=1[backslash]
somewhere along the way, that backslash ended up just escaping the newline 
character. My sincere apologies for the problems this may have caused.

Niels



zarath AT knightsofchaos DOT com wrote:

Greetings BugTraq,

I have tested this vulnerability fairly extensively since it was announced on 
phpBB.com.
Even though the version I'm using clearly has the vulnerable code it in,
it does not seem to work as easily as this is being made out. My server is running
PHP 4.3.4, and MySQL 4.0.15. The way I tested (which you didn't provide any proof
of concept code) was through a UNION command -> 
http://yourdomain/yourforums/search.php?search_id=1
UNION select `user_password` from `phpbb_users` where user_id=1/*


However, due to the fact that it uses an array function to pull all the relative 
information
and the hash returns a single value without the seperators, it won't
acknowledge that a result was returned.

If you try -> http://yourdomain/yourforums/search.php?search_id=1 or 1=1 UNION 
select
`user_password` from `phpbb_users` where user_id=1/*
It will return all search results, but since it will only handle the first returned
column and doesn't loop over them, it still won't display the password hash.

>From what I've tried so far, this doesn't really seem to be a critical vulnerability
-- just an SQL injection that would allow you to get maybe the prefix of the
forum tables or other insignifcant information.

The SQL injection still exists if that URL you specified 
"http://your_site/phpBB2/search.php?search_id=1"
returns "No topics or posts met your search criteria", also.
A better way to test would be to mess with the query. Something like -> 
http://your_site/phpBB2/search.php?search_id=1
or blah=blah if that returns a debugging
error, that means your boards are vulnerable.

Zarath

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ