Re: phpBB 2.06 search.php SQL injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: phpBB 2.06 search.php SQL injection
From: n.teusink@xxxxxxxxx
Date: Fri, 28 Nov 2003 23:25:50 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Priority: normal

An exploit has been released by bugtraq by some other group, the issue is 
unfortunately not minor... As the exploit shows, the trick is to mimic a 
search_array.
I was planning on releasing more technical details later, when everybody had a 
chance to patch his/her forum.

About my test URL, you are absolutely right, the test url does not work. This 
is 
because in my original mail, the test url was:
http://your_site/phpBB2/search.php?search_id=1[backslash]
somewhere along the way, that backslash ended up just escaping the newline 
character. My sincere apologies for the problems this may have caused.

Niels

zarath AT knightsofchaos DOT com wrote:

Greetings BugTraq,

I have tested this vulnerability fairly extensively since it was announced on 
phpBB.com.
Even though the version I'm using clearly has the vulnerable code it in,
it does not seem to work as easily as this is being made out. My server is 
running
PHP 4.3.4, and MySQL 4.0.15. The way I tested (which you didn't provide any 
proof
of concept code) was through a UNION command -> 
http://yourdomain/yourforums/search.php?search_id=1
UNION select `user_password` from `phpbb_users` where user_id=1/*

However, due to the fact that it uses an array function to pull all the 
relative 
information
and the hash returns a single value without the seperators, it won't
acknowledge that a result was returned.

If you try -> http://yourdomain/yourforums/search.php?search_id=1 or 1=1 UNION 
select
`user_password` from `phpbb_users` where user_id=1/*
It will return all search results, but since it will only handle the first 
returned
column and doesn't loop over them, it still won't display the password hash.

>From what I've tried so far, this doesn't really seem to be a critical 
>vulnerability
-- just an SQL injection that would allow you to get maybe the prefix of the
forum tables or other insignifcant information.

The SQL injection still exists if that URL you specified 
"http://your_site/phpBB2/search.php?search_id=1";
returns "No topics or posts met your search criteria", also.
A better way to test would be to mess with the query. Something like -> 
http://your_site/phpBB2/search.php?search_id=1
or blah=blah if that returns a debugging
error, that means your boards are vulnerable.

Zarath

Prev by Date: Applied Watch Response to Bugtraq.org post - Was: Multiple Remote Issues in Applied Watch IDS Suite (advisory attached)
Next by Date: [Hat-Squad] phpBB search_id injection exploit
Previous by thread: phpBB 2.06 search.php SQL injection
Next by thread: Re: phpBB 2.06 search.php SQL injection
Index(es):
- Date
- Thread