phpBB 2.0.8 Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phpBB 2.0.8 Exploit
From: JeiAr <security@xxxxxxxxxxxx>
Date: 28 Mar 2004 18:59:05 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Hi guys,

 After playing around with the private message SQL injection issue on a forum 
that I admin I noticed that the exploit code posted in the authors post doesn't 
work correctly. Here is why:

Both the TO and FROM fields hold the username and md5 hash in his exploit. The 
problem is each field only is able to hold 25 bytes at most (at least on the 
forums I tested it, they were all 2.0.8). Well, MD5 hash is 32 bytes, so you 
may get what looks like a valid hash @ first glance, but it doesn't work as it 
is an incomplete hash. Below is an example that stores the username in the 
SUBJECT of the PM and the MD5 hash in the BODY of the PM. It was tested on a 
few versions with working results. Of course the user_id=2 can be replaced with 
whatever user_id someone wants.

/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 
UNION SELECT 
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password
 FROM phpbb_users WHERE user_id=2 LIMIT 1/*

Hope this helps :)

JeiAr

Prev by Date: Multiple Vulnerabilities in Cloisterblog web blog/journal
Next by Date: re: New worm?
Previous by thread: Multiple Vulnerabilities in Cloisterblog web blog/journal
Next by thread: security enforcement - new monitor for winnt
Index(es):
- Date
- Thread