| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FC67DDE.8190.5576AC6@localhost> From: n.teusink at planet.nl (n.teusink@...net.nl) Subject: phpBB 2.06 search.php SQL injection Hello full-disclosure readers, A vulnerability exists in phpBB 2.06 that could allow an attacker to manipulate SQL queries and gain administrative control over the forum. The search.php script of the application does not sufficiently sanitize the input of the "search_id" parameter. As a result of this an attacker could manipulate the SQL query the script performs and potentially extract information such as password hashes from the database. Impact ----------- The impact depends on the database solution in use. When testing the bug with MySQL 4 on Apache 2 with PHP4, I was able to obtain my board administrator MD5 password hash. Armed with this hash an attacker could modify his cookie accordingly and log in as administrator without having to decode the hash. The attacker would then have complete control over the board and could execute other SQL queries from the admin panel. Patch ----------- I notified the the phpBB 2.06 developers and they have patched the script. phpBB users should download the latest 2.06 version from http://www.phpbb.com A way to manually fix the issue can be found here: http://www.phpbb.com/phpBB/viewtopic.php?t=153818 Cheers, Niels Teusink www.teusink.net
Powered by blists - more mailing lists