lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031229140837.22540.qmail@sf-www2-symnsj.securityfocus.com>
Date: 29 Dec 2003 14:08:37 -0000
From: Jay Gates <zarath@...ghtsofchaos.com>
To: bugtraq@...urityfocus.com
Subject: SQL Injection in phpBB's groupcp.php




BugTraq,

I have found an SQL injection vulnerability in phpBB. Hoever, I don't think this is going to be be a wide spread problem as it will only work if you are the moderator of a group.

How the SQL injection works:

In groupscp, it uses an array set to delete members from certain groups. This array set is sent through a quick loop to put all the values into a variable seperated by , s and then used in an IN check in the SQL query to delete the members that you've selected. 
Code:
$members = ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) ? $HTTP_POST_VARS['pending_members'] : $HTTP_POST_VARS['members'];

$sql_in = '';
for($i = 0; $i < count($members); $i++)
{
	$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];
}

After this the $sql_in variable is not checked or changed at all, and this is where I found the SQL injection to be possible... There are two places this is used, first is through a check on if you're the moderator of a group, if you are it will run an if IN check on the array first:

$sql = "SELECT ug.user_id, ug.group_id 
	FROM " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug 
	WHERE ug.user_id IN  ($sql_in) 
	AND aa.group_id = ug.group_id 
	AND aa.auth_mod = 1 
	GROUP BY ug.user_id, ug.group_id 
	ORDER BY ug.user_id, ug.group_id";

From this, it will pull a list of the users in the group and if they're moderators from being in the group... If they are, it will remove their securities.

Now the second one becomes more critical, this is after the check on if moderator:

$sql = "DELETE FROM " . USER_GROUP_TABLE . " 
	WHERE user_id IN ($sql_in) 
	AND group_id = $group_id";

Since this again uses an IN check on the unchecked $sql_in, you can easily replace it with something such as $sql_in = 1) or 1=1/*
That would cause, every person in a group to be automatically deleted from it.

To fix this vulnerability, it's fairly simple. Open your groupcp.php file.
Find
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];

and replace it with
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . intval($members[$i]);


I'm providing no proof of concept code because you can easily check if you're vulnerable by searching for the first line in your groupcp.php file.

Thanks,
  Zarath


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ