lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <opr4u636izsmddlu@localhost>
From: pokleyzz at scan-associates.net (pokley)
Subject: [SCAN Associates Sdn Bhd Security Advisory] phpBB 2.0.6 and below sql injection

Products: phpBB 2.0.6 and below (http://www.phpbb.com)
Found date: 4 January 2004
Publish date: 15 March 2004
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: phpBB 2.0.6 and below sql injection.

Description
===========
phpBB is a high powered, fully scalable, and highly customisable 
open-source bulletin board package. phpBB has a user-friendly interface, 
simple and straightforward administration panel, and helpful FAQ. Based on 
the powerful PHP server language and your choice of MySQL, MS-SQL, 
PostgreSQL or Access/ODBC database servers, phpBB is the ideal free 
community solution for all web sites.(from phpbb.com)

Details
=======
We have found sql injection vulnerabilities in phpBB which is exploitable 
when register_global is set to "On" in php configuration.

SQL Injection in search.php
---------------------------
There is SQL injection in $search_results variable when performing search 
in phpBB
on line 711 when  $show_results variable not set to 'posts' or 'topics'.

$sql = "SELECT t.*, f.forum_id, f.forum_name, u.username, u.user_id, 
u2.username as user2, u2.user_id as id2, p.post_username, p2.post_username 
AS post_username2, p2.post_time
				FROM " . TOPICS_TABLE . " t, " . FORUMS_TABLE . " f, " . USERS_TABLE . 
" u, " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2, " . USERS_TABLE . " u2
				WHERE t.topic_id IN ($search_results)
					AND t.topic_poster = u.user_id
					AND f.forum_id = t.forum_id
					AND p.post_id = t.topic_first_post_id
					AND p2.post_id = t.topic_last_post_id
					AND u2.user_id = p2.poster_id";



One of the table which is selected in this "SELECT" query is users table. 
This can
be use to determine admin hash by guesting whether certain query is true 
or false with
search result for MySQL 3. With autologin feature in phpbb attacker can 
generate cookies
to login to phpBB without need to crack the password.

Quick Solution
--------------
Turn Off register_global in php.ini.

Proof of concept
----------------
[http://www.scan-associates.net/papers/gemuruh-v2.php.txt]

Vendor Response
===============
5 February 2004 : security@...bb.com have been contacted but no response 
given.

- Happy Birthday faradingdong :-)-

  


Powered by blists - more mailing lists