[Full-Disclosure] [SCAN Associates Sdn Bhd Security Advisory] phpBB 2.0.6 and below sql injection

From: pokley (pokleyzz_at_scan-associates.net)
Date: 03/14/04

  • Next message: Steve Menard: "Re: [Full-Disclosure] Get somebody's IP with MSN"
    To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, "full-disclosure@lists.netsys.com" <full-disclosure@lists.netsys.com>
    Date: Mon, 15 Mar 2004 02:32:20 +0800

    Products: phpBB 2.0.6 and below (http://www.phpbb.com)
    Found date: 4 January 2004
    Publish date: 15 March 2004
    Author: pokleyzz <pokleyzz_at_scan-associates.net>
    Contributors: sk_at_scan-associates.net
    URL: http://www.scan-associates.net

    Summary: phpBB 2.0.6 and below sql injection.

    phpBB is a high powered, fully scalable, and highly customisable
    open-source bulletin board package. phpBB has a user-friendly interface,
    simple and straightforward administration panel, and helpful FAQ. Based on
    the powerful PHP server language and your choice of MySQL, MS-SQL,
    PostgreSQL or Access/ODBC database servers, phpBB is the ideal free
    community solution for all web sites.(from phpbb.com)

    We have found sql injection vulnerabilities in phpBB which is exploitable
    when register_global is set to "On" in php configuration.

    SQL Injection in search.php
    There is SQL injection in $search_results variable when performing search
    in phpBB
    on line 711 when $show_results variable not set to 'posts' or 'topics'.

    $sql = "SELECT t.*, f.forum_id, f.forum_name, u.username, u.user_id,
    u2.username as user2, u2.user_id as id2, p.post_username, p2.post_username
    AS post_username2, p2.post_time
                                    FROM " . TOPICS_TABLE . " t, " . FORUMS_TABLE . " f, " . USERS_TABLE .
    " u, " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2, " . USERS_TABLE . " u2
                                    WHERE t.topic_id IN ($search_results)
                                            AND t.topic_poster = u.user_id
                                            AND f.forum_id = t.forum_id
                                            AND p.post_id = t.topic_first_post_id
                                            AND p2.post_id = t.topic_last_post_id
                                            AND u2.user_id = p2.poster_id";

    One of the table which is selected in this "SELECT" query is users table.
    This can
    be use to determine admin hash by guesting whether certain query is true
    or false with
    search result for MySQL 3. With autologin feature in phpbb attacker can
    generate cookies
    to login to phpBB without need to crack the password.

    Quick Solution
    Turn Off register_global in php.ini.

    Proof of concept

    Vendor Response
    5 February 2004 : security@phpbb.com have been contacted but no response

    - Happy Birthday faradingdong :-)-


    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Steve Menard: "Re: [Full-Disclosure] Get somebody's IP with MSN"