Re: phpBB 2.06 search.php SQL injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: phpBB 2.06 search.php SQL injection
From: Jay Gates <zarath@xxxxxxxxxxxxxxxxxx>
Date: 28 Nov 2003 10:04:28 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <3FC680E1.20563.5632F88@localhost>

Greetings BugTraq,

I have tested this vulnerability fairly extensively since it was announced on 
phpBB.com. Even though the version I'm using clearly has the vulnerable code it 
in, it does not seem to work as easily as this is being made out. My server is 
running PHP 4.3.4, and MySQL 4.0.15. The way I tested (which you didn't provide 
any proof of concept code) was through a UNION command -> 
http://yourdomain/yourforums/search.php?search_id=1 UNION select 
`user_password` from `phpbb_users` where user_id=1/* 

However, due to the fact that it uses an array function to pull all the 
relative information and the hash returns a single value without the 
seperators, it won't acknowledge that a result was returned.

If you try -> http://yourdomain/yourforums/search.php?search_id=1 or 1=1 UNION 
select `user_password` from `phpbb_users` where user_id=1/*
It will return all search results, but since it will only handle the first 
returned column and doesn't loop over them, it still won't display the password 
hash.

>From what I've tried so far, this doesn't really seem to be a critical 
>vulnerability -- just an SQL injection that would allow you to get maybe the 
>prefix of the forum tables or other insignifcant information.

The SQL injection still exists if that URL you specified 
"http://your_site/phpBB2/search.php?search_id=1"; returns "No topics or posts 
met your search criteria", also. A better way to test would be to mess with the 
query. Something like -> http://your_site/phpBB2/search.php?search_id=1 or 
blah=blah if that returns a debugging error, that means your boards are 
vulnerable.

Zarath

>Received: (qmail 3146 invoked from network); 27 Nov 2003 21:52:56 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 27 Nov 2003 21:52:56 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 6EAECA30FC; Thu, 27 Nov 2003 15:01:17 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 2776 invoked from network); 27 Nov 2003 15:43:59 -0000
>Date: Thu, 27 Nov 2003 22:55:29 +0100
>From: n.teusink@xxxxxxxxx
>Subject: phpBB 2.06 search.php SQL injection
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Message-id: <3FC680E1.20563.5632F88@localhost>
>MIME-version: 1.0
>X-Mailer: Pegasus Mail for Windows (v4.02)
>Content-type: text/plain; charset=US-ASCII
>Content-transfer-encoding: 7BIT
>Content-description: Mail message body
>Priority: normal
>
>Hello bugtraq readers,
>
>A vulnerability exists in phpBB 2.06 that could allow an attacker to 
>manipulate SQL 
>queries and gain administrative control over the forum.
>The search.php script of the application does not sufficiently sanitize the 
>input of the 
>"search_id" parameter. As a result of this an attacker could manipulate the 
>SQL 
>query the script performs and potentially extract information such as password 
>hashes from the database.
>
>Impact
>-----------
>
>The impact depends on the database solution in use. When testing the bug with 
>MySQL 4 on Apache 2 with PHP4, I was able to obtain my board administrator MD5 
>password hash. Armed with this hash an attacker could modify his cookie 
>accordingly 
>and log in as administrator without having to decode the hash. The attacker 
>would 
>then have complete control over the board and could execute other SQL queries 
>from 
>the admin panel.
>
>Patch
>-----------
>
>I notified the the phpBB 2.06 developers and they have patched the script. 
>phpBB 
>users should download the latest 2.06 version from http://www.phpbb.com
>A way to manually fix the issue can be found here: 
>http://www.phpbb.com/phpBB/viewtopic.php?t=153818
>
>A simple way to test if the bug is patched is:
>http://your_site/phpBB2/search.php?search_id=1If patched, this should return 
>the message "No topics or posts met your search 
>criteria". If unpatched you will get an SQL error (or just a general error if 
>DEBUG 
>mode is off).
>
>Cheers,
>
>Niels Teusink
>
>www.teusink.net
>

Prev by Date: Re: Unhackable network really unhackable?
Next by Date: FreeBSD Security Advisory FreeBSD-SA-03:19.bind
Previous by thread: Re: phpBB 2.06 search.php SQL injection
Next by thread: Re: phpBB 2.06 search.php SQL injection
Index(es):
- Date
- Thread