lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 15 Nov 2005 08:42:03 +0100 (CET)
From: Ron van Daal <ronvdaal@....nl>
To: max@...tsuper.pl
Cc: bugtraq@...urityfocus.com
Subject: Re: phpBB 2.0.18 SQL Query problem



This isn't a security problem. Why post it to Bugtraq?
Did you reported this to the PhpBB bugtracker?

--
Ron

On Fri, 11 Nov 2005 max@...tsuper.pl wrote:

> ------------------------------------------------------------------------------
> /usr/local/libexec/ppf_verify: pgp command failed
>
> gpg: Signature made Wed Oct 12 18:03:04 2005 CEST using DSA key ID 7FDF4CEE
> gpg: Can't check signature: public key not found
> ------------------------------------------------------------------------------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> [phpBB 2.0.18 SQL Query problem cXIb8O3.19]
>
> Author: Maksymilian Arciemowicz (cXIb8O3)
> Date: 11.11.2005
> from securityreason.com TEAM
>
> - --- 0.Description ---
> phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar
> d package. phpBB has a user-friendly interface, simple and straightforward administration
> panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
> , MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so
> lution for all web sites.
> Contact with author http://www.phpbb.com/about.php.
>
> - --- 1. * SQL query problem ---
> phpBB2 don't check size of sql query. So we can send any data in all post variables.
> Standart Environment:
>
> post_max_size=8M (standart)
> max_allowed_packet < 7M (1M standart in mysql)
>
> Example Evironment:
> memory_limit>8MB
> max_execution_time=30
> max_allowed_packet=1M
>
> I have written simple request where one variable POST to sql query was 1M.
>
> - ---request---
> POST /2018/phpBB2/search.php HTTP/1.1
> Host: localhost
> Content-Type: application/x-www-form-urlencoded
> Content-Length: strlen(x)
>
> mode=results&search_keywords=SecurityReasonComSecurityRea...xMB>max_allowed_packet.(example.1MB.data)...sonCom
> - ---/request---
>
> so in output:
>
> - ---output1---
> Could not obtain matched posts list
> DEBUG MODE
> SQL Error : 1153 Got a packet bigger than 'max_allowed_packet'
> SELECT m.post_id FROM phpbb_search_wordlist w, phpbb_search_wordmatch m WHERE w.word_text LIKE 'securityreasoncomsecurityreasoncom...' AND m.word_id = w.word_id AND w.word_common <> 1 AND m.title_match = 0
> Line : 321
> File : search.php
> - ---/output1---
>
> sql error.
>
> or when you have:
> memory_limit=8MB
> or
> max_execution_time<30
> display_error=1
>
> You can see in output example:
>
> - ---output2---
> Fatal error: Maximum execution time of 15 seconds exceeded in /www/2018/phpBB2/includes/functions_search.php on line 72
> - ---/output2---
>
> - ---output3---
> Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1746401 bytes) in /www/2018/phpBB2/includes/functions_search.php on line 27
> - ---/output3---
>
>
> Exploit:
> http://securityreason.com/achievement_exploitalert/4
> (simple errors)
>
> - --- 2. Greets ---
> sp3x
>
> - --- 3.Contact ---
> Author: Maksymilian Arciemowicz < cXIb8O3 >
> Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
> GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
> securityreason.com TEAM
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
>
> iD8DBQFDTTO43Ke13X/fTO4RAuUsAJ9Ry6GqbPsb1wSxvqU37cp87UHpTgCeIwdy
> k1NCDNaYsDg1ofLsZFJDMAw=
> =dp0t
> -----END PGP SIGNATURE-----
>


Powered by blists - more mailing lists