phpBB password disclosure by sql injection

From: Rick (rikul_at_bellsouth.net)
Date: 06/19/03

Next message: KF: "SRT2003-06-20-1232 - Progress 4GL Compiler datatype overflow"

Previous message: Marc Lafortune: "Re: ConnecTalk Security Advisory: Qpopper leaks information during authentication ** Forget this one... **"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <vulnwatch@vulnwatch.org>
Date: Thu, 19 Jun 2003 01:27:37 -0600

There is sql injection vuln in phpBB. The variable "topic_id" is passed
directly from GET to sql query in /viewtopic.php. It can be used
to get md5 passwords for users. I am attaching details and proof of
concept code. I've only tested this on mysql 4 and pgsql at my home
machines so I might have missed something...

Rick Patel

application/octet-stream attachment: phpbb_sql.pl

Next message: KF: "SRT2003-06-20-1232 - Progress 4GL Compiler datatype overflow"

Previous message: Marc Lafortune: "Re: ConnecTalk Security Advisory: Qpopper leaks information during authentication ** Forget this one... **"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]