Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
phpBB Input Validation Flaw in 'groupcp.php' Permits Moderators to Inject SQL Commands
|
|
SecurityTracker Alert ID: 1008571
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 29 2003
|
Impact: Execution of arbitrary code via network
|
Description: An input validation vulnerability was reported in phpBB. A remote authenticated moderator can inject SQL commands.
It is reported that the 'groupcp.php' function does not validate the $sql_in variable. A remote authenticated user with 'moderator' privileges can supply a specially crafted URL to cause arbitrary SQL commands to be executed.
|
Impact: A remote authenticated user with moderator privileges can execute arbitrary SQL commands on the system.
|
Solution: No solution was available at the time of this entry.
An unofficial solution is described in the Source Message.
|
Vendor URL: www.phpbb.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Jay Gates <zarath@knightsofchaos.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 29 Dec 2003 14:08:37 -0000
From: Jay Gates <zarath@knightsofchaos.com>
Subject: SQL Injection in phpBB's groupcp.php
|
BugTraq,
I have found an SQL injection vulnerability in phpBB. Hoever, I don't think this is going to be be a
wide spread problem as it will
only work if you are the moderator of a group.
How the SQL injection works:
In groupscp, it uses an array set to delete members from certain groups. This array set is sent throu
gh a quick loop to put all the
values into a variable seperated by , s and then used in an IN check in the SQL query to delete the
members that you've selected.
Code:
$members = ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) ? $HTTP_POST_VARS[
'pending_members'] : $HTTP_POST_VARS['members'];
$sql_in = '';
for($i = 0; $i < count($members); $i++)
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];
After this the $sql_in variable is not checked or changed at all, and this is where I found the SQL i
njection to be possible... There
are two places this is used, first is through a check on if you're the moderator of a group, if you
are it will run an if IN check
on the array first:
$sql = "SELECT ug.user_id, ug.group_id
FROM " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug
WHERE ug.user_id IN ($sql_in)
AND aa.group_id = ug.group_id
AND aa.auth_mod = 1
GROUP BY ug.user_id, ug.group_id
ORDER BY ug.user_id, ug.group_id";
>From this, it will pull a list of the users in the group and if they're moderators from being in
the group... If they are, it will
remove their securities.
Now the second one becomes more critical, this is after the check on if moderator:
$sql = "DELETE FROM " . USER_GROUP_TABLE . "
WHERE user_id IN ($sql_in)
AND group_id = $group_id";
Since this again uses an IN check on the unchecked $sql_in, you can easily replace it with something
such as $sql_in = 1) or 1=1/*
That would cause, every person in a group to be automatically deleted from it.
To fix this vulnerability, it's fairly simple. Open your groupcp.php file.
Find
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];
and replace it with
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . intval($members[$i]);
I'm providing no proof of concept code because you can easily check if you're vulnerable by searching
for the first line in your groupcp.php
file.
Thanks,
Zarath
|
|
Go to the Top of This SecurityTracker Archive Page
|
