[UNIX] phpBB 'u' Variable SQL Injection

From: SecuriTeam (support_at_securiteam.com)
Date: 11/09/03

  • Next message: SecuriTeam: "[NEWS] IBM DB2 Multiple Local Security Issues (UNIX Only)" 
    To: list@securiteam.com
Date: 9 Nov 2003 18:56:54 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      phpBB 'u' Variable SQL Injection
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.phpbb.com/> phpBB is "a high powered, fully scalable, and
    highly customizable open-source bulletin board package. phpBB has a
    user-friendly interface, simple and straightforward administration panel,
    and helpful FAQ. Based on the powerful PHP server language and your choice
    of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
    ideal free community solution for all web sites."

    An SQL injection vulnerability exists in the uid field sent to phpBB, this
    would allow a remote attacker to insert malicious SQL statements into
    existing ones.

    DETAILS

    Vulnerable Systems:
     * phpBB version 2.0.5 and prior

    Immune Systems:
     * phpBB version 2.0.6

    phpBB has a list of registered users, when you click on a member of this
    list, you request data from the database.

    Example:
    http://www.example.com/forum/profile.php?mode=viewprofile&u=2

    This URL shows the information for the user with the uid = 2 (the uid is a
    number assigned to users in phpBB). The content of the 'u' variable isn't
    filtered for malicious contents.

    An attacker could inject arbitrary SQL commands into the system's
    database.

    Example:
    http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode]

    Vendor Status:
    Upgrade to version 2.0.6 of phpBB, as the version is immune to this issue.

    Workaround:
    Modify the get_userdata() function to:

    function get_userdata($user, $force_str = false)
    {
    global $db;

    if (intval($user) == 0 || $force_str)
    {
    $user = trim(htmlspecialchars($user));
    $user = substr(str_replace("\\'", "'", $user), 0, 25);
    $user = str_replace("'", "\\'", $user);
    }
    else
    {
    $user = intval($user);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:jocanor2002@hotmail.com>
    jocanor jocanor

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] IBM DB2 Multiple Local Security Issues (UNIX Only)"

    Relevant Pages