phpBB 2.06 search.php SQL injection

n.teusink_at_planet.nl
Date: 11/27/03

  • Next message: Niels Bakker: "Re: Unhackable network really unhackable?"
    Date: Thu, 27 Nov 2003 22:55:29 +0100
    To: bugtraq@securityfocus.com
    
    

    Hello bugtraq readers,

    A vulnerability exists in phpBB 2.06 that could allow an attacker to manipulate SQL
    queries and gain administrative control over the forum.
    The search.php script of the application does not sufficiently sanitize the input of the
    "search_id" parameter. As a result of this an attacker could manipulate the SQL
    query the script performs and potentially extract information such as password
    hashes from the database.

    Impact
    -----------

    The impact depends on the database solution in use. When testing the bug with
    MySQL 4 on Apache 2 with PHP4, I was able to obtain my board administrator MD5
    password hash. Armed with this hash an attacker could modify his cookie accordingly
    and log in as administrator without having to decode the hash. The attacker would
    then have complete control over the board and could execute other SQL queries from
    the admin panel.

    Patch
    -----------

    I notified the the phpBB 2.06 developers and they have patched the script. phpBB
    users should download the latest 2.06 version from http://www.phpbb.com
    A way to manually fix the issue can be found here:
    http://www.phpbb.com/phpBB/viewtopic.php?t=153818

    A simple way to test if the bug is patched is:
    http://your_site/phpBB2/search.php?search_id=1\
    If patched, this should return the message "No topics or posts met your search
    criteria". If unpatched you will get an SQL error (or just a general error if DEBUG
    mode is off).

    Cheers,

    Niels Teusink

    www.teusink.net


  • Next message: Niels Bakker: "Re: Unhackable network really unhackable?"

    Relevant Pages

    • [Full-Disclosure] phpBB 2.06 search.php SQL injection
      ... A vulnerability exists in phpBB 2.06 that could allow an attacker to manipulate SQL ... The search.php script of the application does not sufficiently sanitize the input of the ...
      (Full-Disclosure)
    • RE: SQL injection attacks
      ... It is totally possible to attack the DB server, ... Using blind sql, you can "ask" true/false questions and virtually ... There is a form of more complex SQL attack known as Blind SQL Injection. ... the attacker to craft packets targeted towards the specific SQL server. ...
      (Pen-Test)
    • RE: SQL injection attacks
      ... You get a response from the web page - even if it is time to display the next page. ... There seems to be some level of incomprehension as to the nature of SQL ... It is not however possible to attack the SQL server ... the attacker to craft packets targeted towards the specific SQL server. ...
      (Pen-Test)
    • Re: SQL injection attacks
      ... There seems to be some level of incomprehension as to the nature of SQL ... It is possible to exploit SQL using injection methods without detailed ... It is not however possible to attack the SQL server ... the attacker to craft packets targeted towards the specific SQL server. ...
      (Pen-Test)
    • SQL injection attacks
      ... There seems to be some level of incomprehension as to the nature of SQL ... It is possible to exploit SQL using injection methods without detailed ... It is not however possible to attack the SQL server ... the attacker to craft packets targeted towards the specific SQL server. ...
      (Pen-Test)