[UNIX] phpBB Allows Remote Users to Modify Default SQL Queries

From: support@securiteam.com
Date: 10/17/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] phpBB Allows Remote Users to Modify Default SQL Queries
Message-Id: <20011017215059.5883E138C4@mail.der-keiler.de>
Date: Wed, 17 Oct 2001 23:50:59 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  phpBB Allows Remote Users to Modify Default SQL Queries
------------------------------------------------------------------------

SUMMARY

There is a potential security problem in the current version 1.4.2 and
previous versions of <http://www.phpbb.com> phpBB. A remote user is able
to modify a string passed as a SQL query to the MySQL database.

DETAILS

The problem exists in the file bb_memberlist.php. A string called $sortby
is supplied through the URI and directly inserted into a SQL query string
if it does not match the cases of the previous switch statement.

[snip]

switch($sortby) {
   case '':
      [...]
   case 'posts':
      [...]
}

$sql = "SELECT * FROM users WHERE [...] ORDER BY $sortby";

[snap]

This is a typical example of bad coding practice, the obligate "default:"
label has been forgotten/left out.

You can easily verify this problem by testing:
 
<http://phpbb.sourceforge.net/phpBB/bb_memberlist.php?sortby=user_regdate>
http://phpbb.sourceforge.net/phpBB/bb_memberlist.php?sortby=user_regdate

As you can see the user lists is sorted by the registration date that is
stored in the column user_regdate. This is not a feature - it's a bug!.

ADDITIONAL INFORMATION

The information has been provided by <mailto:kr@roqe.org> Konrad Rieck.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • RE: SQL Slammer doing the rounds again?
    ... SQL Slammer doing the rounds again? ... "I used to hate writing assignments, ... > Security Business Unit ... > at the largest, most highly-anticipated industry ...
    (Incidents)
  • Re: sql injection query
    ... escapes the values so this alone greatly enhances security. ... there was a post here a while ago about Validating SQL ... these regex's were very good] so he had no worries about Injection. ... wanted to know if I call a storedprocedure like this I would be similarly ...
    (microsoft.public.dotnet.framework.adonet)
  • [NEWS] IBM Informix Web DataBlade Vulnerable to Auto-decoding of HTML Entities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HTML encoded strings are automatically being decoded when used in SQL ... When a string has been ... $'ed it should thus be safe to use it in an SQL query, ...
    (Securiteam)
  • Re: sql injection - missed it at bh/defcon + follow on query.
    ... sql injection - missed it at bh/defcon + follow on query. ... >I got thro' a login by putting ... >This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Microsoft Informational Alert
    ... > PSS Security Response Team Alert - SQL Security Recommendations ... > PRODUCTS AFFECTED: SQL Server ... Secure your SA login account with a non-NULL password. ...
    (microsoft.public.security)
Quantcast