<<< Date Index >>>     <<< Thread Index >>>

[waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7]






{================================================================================}
{                              [waraxe-2004-SA#019]                             
 }
{================================================================================}
{                                                                               
 }
{                 [ Critical sql injection bug in Phorum 3.4.7 ]                
 }
{                                                                               
 }
{================================================================================}
                                                                                
                                                
Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=19


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Phorum is a web based message board written in PHP. Phorum is designed with 
high-availability and visitor ease of use in mind. Features such as mailing
list integration, easy customization and simple installation make Phorum 
a powerful add-in to any website.


Homepage: http://www.phorum.org



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  One thing is sure - Phorum 3.4.7 code is written professionally and 
traditional
security bugs here are very hard to find. But anyway, there exists potential 
sql injection
case in Phorum code, which can lead to disclosure of the sensitive data from 
the database.
  Let's look at original code from the include/userlogin.php :


// checks the session for the currently logged in user
  function phorum_check_session($admin_session='')
  {
      global $q, $DB, $PHORUM, $HTTP_COOKIE_VARS, $phorum_uriauth;
         
      $phorum_uriauth=urldecode($phorum_uriauth);
          
      if(!empty($admin_session)) {
        list($user, $pass)=explode(":", $admin_session);

        if(!get_magic_quotes_gpc()) $user=addslashes($user);
      } elseif(isset($HTTP_COOKIE_VARS['phorum_cookieauth'])) {
        // part for cookieauth
        list($user, $pass)=explode(":", $HTTP_COOKIE_VARS['phorum_cookieauth']);
        if(!get_magic_quotes_gpc()) $user=addslashes($user);
      } elseif(isset($phorum_uriauth)) {
        // part for uriauth
        list($user, $second)=explode(":",$phorum_uriauth);

        if(!empty($user) && empty($second))
            list($user, $second)=explode("%3A",$phorum_uriauth);
            
        $SQL="Select password,combined_token from ".$PHORUM['auth_table']." 
where username='$user'";

      $q->query($DB, $SQL);     
      $r=$q->getrow();
      ...

As we can see, GET variable $phorum_uriauth will be urldecoded and if there is 
empty
$admin_session and not exists COOKIE variable $phorum_cookieauth, then (and 
only then)
urldecoded $phorum_uriauth will be exploded to $user and $second. And next we 
will see,
how $user is used in sql request WITHOUT addslashes()...
  So what? "Magic quotes" is mainly enabled, therefore all seems to be secure. 
But wait a second ... - if $phorum_uriauth initially contains something like 
"%2527", then
after urldecode() operation it will be "'" (single quote), and magic quotes 
feature can't
do anything against that! Nice example of the sql injection in CRITICAL sql 
query (I mean,
this sql query handles sensitive data - user password and combined_token).
  What next? I was experimenting various methods to exploit this sql injection 
case and
have found possibilities to use "half-blind" method to pull out from database 
any information.

  First we must know the username of the "victim". Let's say, it's "waraxe" ;)
Before testing user must be logged out. Now, we make http request like this:

http://localhost/phorum347/list.php?f=1&phorum_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:foobar

And if the second char in the "waraxe's" password's md5 hash is "3", then we 
can see normal Phorum page,
but with "Log out" link. If there is  a link named "Log in", then we must make 
next tests. So we can
probe user's password's md5 hash char-by-char and finally pull out full string 
from the database.

Good news for attacker (and bad news for admins) is, that there is no need for 
UNION functionality
in mysql version, as usually in case of sophisticated sql injection exploits.

How about patch? It's simple - just add slashes:

$phorum_uriauth = addslashes(urldecode($phorum_uriauth));


By the way, i wrote exploit in perl to proof of concept. It can be found on URL:

http://www.waraxe.us/index.php?modname=saf&id=4

See ya!



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq readers in Estonia! 
Tervitused!
Special greets to UT Bee Clan members at http://bees.tk ! "Boom!!" ;)


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@xxxxxxxxx
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------