lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: come2waraxe at yahoo.com (Janek Vind)
Subject: [waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7]


{================================================================================}
{                              [waraxe-2004-SA#019]   
                          }
{================================================================================}
{                                                     
                          }
{                 [ Critical sql injection bug in
Phorum 3.4.7 ]                 }
{                                                     
                          }
{================================================================================}
                                                      
                                                      
                  
Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=19


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Phorum is a web based message board written in PHP.
Phorum is designed with 
high-availability and visitor ease of use in mind.
Features such as mailing
list integration, easy customization and simple
installation make Phorum 
a powerful add-in to any website.


Homepage: http://www.phorum.org



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  One thing is sure - Phorum 3.4.7 code is written
professionally and traditional
security bugs here are very hard to find. But anyway,
there exists potential sql injection
case in Phorum code, which can lead to disclosure of
the sensitive data from the database.
  Let's look at original code from the
include/userlogin.php :


// checks the session for the currently logged in user
  function phorum_check_session($admin_session='')
  {
      global $q, $DB, $PHORUM, $HTTP_COOKIE_VARS,
$phorum_uriauth;
	 
      $phorum_uriauth=urldecode($phorum_uriauth);
	  
      if(!empty($admin_session)) {
        list($user, $pass)=explode(":",
$admin_session);

        if(!get_magic_quotes_gpc())
$user=addslashes($user);
      }
elseif(isset($HTTP_COOKIE_VARS['phorum_cookieauth']))
{
        // part for cookieauth
      	list($user, $pass)=explode(":",
$HTTP_COOKIE_VARS['phorum_cookieauth']);
      	if(!get_magic_quotes_gpc())
$user=addslashes($user);
      } elseif(isset($phorum_uriauth)) {
        // part for uriauth
        list($user,
$second)=explode(":",$phorum_uriauth);

	if(!empty($user) && empty($second))
	    list($user,
$second)=explode("%3A",$phorum_uriauth);
	    
	$SQL="Select password,combined_token from
".$PHORUM['auth_table']." where username='$user'";

      $q->query($DB, $SQL);	
      $r=$q->getrow();
      ...

As we can see, GET variable $phorum_uriauth will be
urldecoded and if there is empty
$admin_session and not exists COOKIE variable
$phorum_cookieauth, then (and only then)
urldecoded $phorum_uriauth will be exploded to $user
and $second. And next we will see,
how $user is used in sql request WITHOUT
addslashes()...
  So what? "Magic quotes" is mainly enabled, therefore
all seems to be secure. 
But wait a second ... - if $phorum_uriauth initially
contains something like "%2527", then
after urldecode() operation it will be "'" (single
quote), and magic quotes feature can't
do anything against that! Nice example of the sql
injection in CRITICAL sql query (I mean,
this sql query handles sensitive data - user password
and combined_token).
  What next? I was experimenting various methods to
exploit this sql injection case and
have found possibilities to use "half-blind" method to
pull out from database any information.

  First we must know the username of the "victim".
Let's say, it's "waraxe" ;)
Before testing user must be logged out. Now, we make
http request like this:

http://localhost/phorum347/list.php?f=1&phorum_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:foobar

And if the second char in the "waraxe's" password's
md5 hash is "3", then we can see normal Phorum page,
but with "Log out" link. If there is  a link named
"Log in", then we must make next tests. So we can
probe user's password's md5 hash char-by-char and
finally pull out full string from the database.

Good news for attacker (and bad news for admins) is,
that there is no need for UNION functionality
in mysql version, as usually in case of sophisticated
sql injection exploits.

How about patch? It's simple - just add slashes:

$phorum_uriauth =
addslashes(urldecode($phorum_uriauth));


By the way, i wrote exploit in perl to proof of
concept. It can be found on URL:

http://www.waraxe.us/index.php?modname=saf&id=4

See ya!



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq
readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at
http://bees.tk ! "Boom!!" ;)


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@...oo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]
------------------------------------



	
		
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25
http://photos.yahoo.com/ph/print_splash


Powered by blists - more mailing lists