phpBB Input Validation Flaw in 'search_id' Permits SQL Injection and Yields Administrative Access
|
|
SecurityTracker Alert ID: 1008323
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 27 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.06
|
Description: An input validation vulnerability was reported in phpBB in 'search.php'. A remote user can inject SQL commands to gain administrative access to the forum.
It is reported that the 'search.php' script does not properly validate the 'search_id' parameter. A remote user can send a specially
crafted value to execute certain SQL commands on the target server, such as a command to obtain the administrator's hashed password.
With the hashed password, a remote user can then modify their cookies to gain access to the system.
To determine if your system
has been patched, run the following query:
http://your_site/phpBB2/search.php?search_id=1\
If your system is patched, the
system will display the following message:
"No topics or posts met your search criteria"
|
Impact: A remote user can inject SQL commands to gain administrative access to the forum.
|
Solution: The vendor has fixed the latest version of 2.06, available at:
http://www.phpbb.com/
A description of how to manually fix the flaw is available at:
http://www.phpbb.com/phpBB/viewtopic.php?t=153818
|
Vendor URL: www.phpbb.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: n.teusink@planet.nl
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 27 Nov 2003 22:55:29 +0100
From: n.teusink@planet.nl
Subject: phpBB 2.06 search.php SQL injection
|
Hello bugtraq readers,
A vulnerability exists in phpBB 2.06 that could allow an attacker to manipulate SQL
queries and gain administrative control over the forum.
The search.php script of the application does not sufficiently sanitize the input of the
"search_id" parameter. As a result of this an attacker could manipulate the SQL
query the script performs and potentially extract information such as password
hashes from the database.
Impact
-----------
The impact depends on the database solution in use. When testing the bug with
MySQL 4 on Apache 2 with PHP4, I was able to obtain my board administrator MD5
password hash. Armed with this hash an attacker could modify his cookie accordingly
and log in as administrator without having to decode the hash. The attacker would
then have complete control over the board and could execute other SQL queries from
the admin panel.
Patch
-----------
I notified the the phpBB 2.06 developers and they have patched the script. phpBB
users should download the latest 2.06 version from http://www.phpbb.com
A way to manually fix the issue can be found here:
http://www.phpbb.com/phpBB/viewtopic.php?t=153818
A simple way to test if the bug is patched is:
http://your_site/phpBB2/search.php?search_id=1\
If patched, this should return the message "No topics or posts met your search
criteria". If unpatched you will get an SQL error (or just a general error if DEBUG
mode is off).
Cheers,
Niels Teusink
www.teusink.net
|
|
