phpBB Input Validation Flaw in 'profile.php' Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1008125 |
|
SecurityTracker URL: http://securitytracker.com/id/1008125
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 8 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 2.0.5 and prior versions
|
Description:
An input validation vulnerability was reported in phpBB. A remote user can inject SQL commands.
It is reported that the 'profile.php' script does not validate the user id variable 'u' when attempting to display a registered user's profile. A remote user can submit a specially crafted HTTP GET request to inject SQL commands to be executed by the underlying database.
A demonstration exploit URL is provided:
http://[target]/profile.php?mode=viewprofile&u='[sqlcode]
|
Impact:
A remote user can inject SQL commands to be executed by the underlying database.
|
Solution:
The report indicates that version 2.0.7 is not affected.
|
Vendor URL: www.phpbb.com/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 8 Nov 2003 18:30:25 -0000
Subject: sql injection in phpbb
|
I found a vulnerability en phpbb 2.0.5 and prior, is probably also affect 2.0.6
this bug don't affect to version 2.0.7
phpbb have a list of registereds users, when you click on a memebr of this list, you are requesting data to the database
for example:
http://www.example.com/forum/profile.php?mode=viewprofile&u=2
this url show the information to the user with the uid = 2, the uid is a number assigned to users in phpbb.
but it isn't secure, because if you use this url, you can inject sql comands...
exploit:
http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode]
where [sql code] represents the code may be injected.
|
|
