Date: Mon, 8 Oct 2001 00:05:28 +0200
From: Konrad Rieck <[email protected]>
To: Bugtrag Mailing List <[email protected]>
Subject: phpBB 1.4.2, Remote user is able to modify SQL query.
Hi,
there is a a potential security problem in the current version 1.4.2 and
previous versions of phpBB (http://www.phpbb.com). A remote user is able to
modify a string passed as a SQL query to the MySQL database.
The problem exists in the file bb_memberlist.php. A string called $sortby is
supplied through the URI and directly inserted into a SQL query string if it
doesn't match the cases of the previous switch statement.
[snip]
switch($sortby) {
case '':
[...]
case 'posts':
[...]
}
$sql = "SELECT * FROM users WHERE [...] ORDER BY $sortby";
[snap]
This is a typical example of bad coding practice, the obligate "default:"
label has been forgotten/left out/whatever.
You can easily verify this problem by testing:
http://phpbb.sourceforge.net/phpBB/bb_memberlist.php?sortby=user_regdate
As you can see the user lists is sorted by the registration date that
is stored in the column user_regdate. This is not a feature it's a bug ;).
I am not sure if this problem might be abused to insert, delete or update
data inside the MySQL database. This part is up to the PHP hackers.
I have sent two mails regarding this problem to the phpBB developers around
the 12th of September and didn't get any reply. I think that all phpBB users
should know about this problem and maybe add the missing "default:"
statement themselves.
Regards,
Konrad
--
Konrad Rieck <[email protected]>
Roqefellaz - http://www.roqe.org, Public Key http://www.roqe.org/keys/kr.pub
-- Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3
