[UNIX] phpBB Allows Remote Users to Modify Default SQL Queries

From: support@securiteam.com
Date: 10/17/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] phpBB Allows Remote Users to Modify Default SQL Queries
Message-Id: <20011017215059.5883E138C4@mail.der-keiler.de>
Date: Wed, 17 Oct 2001 23:50:59 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  phpBB Allows Remote Users to Modify Default SQL Queries
------------------------------------------------------------------------

SUMMARY

There is a potential security problem in the current version 1.4.2 and
previous versions of <http://www.phpbb.com> phpBB. A remote user is able
to modify a string passed as a SQL query to the MySQL database.

DETAILS

The problem exists in the file bb_memberlist.php. A string called $sortby
is supplied through the URI and directly inserted into a SQL query string
if it does not match the cases of the previous switch statement.

[snip]

switch($sortby) {
   case '':
      [...]
   case 'posts':
      [...]
}

$sql = "SELECT * FROM users WHERE [...] ORDER BY $sortby";

[snap]

This is a typical example of bad coding practice, the obligate "default:"
label has been forgotten/left out.

You can easily verify this problem by testing:
 
<http://phpbb.sourceforge.net/phpBB/bb_memberlist.php?sortby=user_regdate>
http://phpbb.sourceforge.net/phpBB/bb_memberlist.php?sortby=user_regdate

As you can see the user lists is sorted by the registration date that is
stored in the column user_regdate. This is not a feature - it's a bug!.

ADDITIONAL INFORMATION

The information has been provided by <mailto:kr@roqe.org> Konrad Rieck.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages