Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
phpBB Input Validation Flaws in 'admin_smilies.php' and 'admin_styles.php' Let Remote Authenticated Administrators Inject SQL
|
|
SecurityTracker Alert ID: 1009510 |
|
SecurityTracker URL: http://securitytracker.com/id/1009510
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 22 2004
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 2.0.7a and prior versions
|
Description:
Some input validation vulnerabilities were reported in phpBB. A remote authenticated administrator can inject SQL commands. A remote user can conduct cross-site scripting attacks.
JeiAr of the GulfTech Security Research Team reported that the 'admin_smilies.php' and 'admin_styles.php' scripts do not properly validate user-supplied information in the 'id' parameter. A demonstration exploit URL is provided:
admin_smilies.php?mode=edit&id=99 UNION SELECT 0,username,0,user_password FROM othersite_phpbb_users WHERE user_id=2
It is also possible for a remote user to conduct cross-site scripting attacks, the report said. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the phpBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some additional examples are provided:
admin_smilies.php?mode=edit&id=[SQL]
admin_smilies.php?mode=delete&id=[SQL]
admin_smilies.php?mode=edit&id=[XSS]
admin_smilies.php?mode=delete&id=[XSS]
admin_styles.php?mode=edit&style_id=[SQL]
admin_styles.php?mode=delete&style_id=[SQL]
admin_styles.php?mode=edit&style_id=[XSS]
admin_styles.php?mode=delete&style_id=[XSS]
It is reported that many scripts do not properly check session IDs. As a result, a remote user can exploit one of the cross-site scripting flaws to inject phpBB commands in a message post that will be executed by the target user when the message post is viewed by the target user.
The vendor has reportedly been notified. The author of the report has posted excerpts from e-mail exchanges with the vendor at:
http://www.gulftech.org/vuln/phpBBEmail.txt
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the phpBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote authenticated administrator can execute SQL commands on the underlying database.
|
Solution:
No solution was available at the time of this entry. The author of the report has created an unofficial patch, available at:
http://www.gulftech.org/vuln/phpBBadminFix.rar
|
Vendor URL: www.phpbb.com/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 21 Mar 2004 18:26:52 -0500
Subject: http://www.gulftech.org/03202004.php
|
http://www.gulftech.org/03202004.php
phpBB 2.0.7a And Earlier Security Issues March 20, 2004
Vendor : phpBB Group
URL : http://www.phpbb.com
Version : phpBB 2.0.7a && Earlier
Risk : Multiple Vulnerabilities
Description:
phpBB is a high powered, fully scalable, and highly customisable open-source bulletin
board package. phpBB has a user-friendly interface, simple and straightforward
administration panel, and helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal
free community solution for all web sites.
Problem:
Just a few days ago I was visiting Security Focus and I saw the following issue.
http://www.securityfocus.com/bid/9896
I was at first thinking "Well, if you can't trust your admins that is as big of a security
risk as any SQL Injection" After talking to a few people about this I realized that a
number of phpBB installations are run on shared hosting setups, and because of that this
issue could be a legitimate risk. For example
admin_words.php?mode=edit&id=99 UNION SELECT 0,username,user_password FROM
othersite_phpbb_users WHERE user_id=2
I decided to look into this a little more and noticed similar issues in two other files as
well. The files I found to also be vulnerable were "admin_smilies.php" and
"admin_styles.php" which can also be used to query arbitrary information.
admin_smilies.php?mode=edit&id=99 UNION SELECT 0,username,0,user_password FROM
othersite_phpbb_users WHERE user_id=2
I also played around with ideas on how a malicious user could use this for any kind of
mischief. Remember that these SQL issues can also be used to probably drop tables and the
like on non phpBB installations depending on DB privledges. Below are the findings of my
weekend off from work. :P
SQL Injection Vulnerability:
Altering queries is possible via two different files in phpBB 2.0.7a and earlier. The
affected files are "admin_smilies.php" and "admin_styles.php" Below is what you will see
if you take a look at the "admin_smilies.php" file.
-----[ Start Vuln Code ] ------------------------------------------------------
$sql = "SELECT *
FROM " . SMILIES_TABLE . "
WHERE smilies_id = " . $smiley_id;
$result = $db->sql_query($sql);
-----[ Ends Vulns Code ] ------------------------------------------------------
Both of these files could also be used to conduct cross site scripting attacks if a logged
in admin views a malicious link sent by an attacker. Below are examples.
admin_smilies.php?mode=edit&id=[SQL]
admin_smilies.php?mode=delete&id=[SQL]
admin_smilies.php?mode=edit&id=[XSS]
admin_smilies.php?mode=delete&id=[XSS]
admin_styles.php?mode=edit&style_id=[SQL]
admin_styles.php?mode=delete&style_id=[SQL]
admin_styles.php?mode=edit&style_id=[XSS]
admin_styles.php?mode=delete&style_id=[XSS]
Maybe an attacker could send a logged in admin a link that causes certain contents of the
database to be dumped into a text file in the httpd directory for retrieval, or maybe an
attacker can send a logged in admin a link with some script embedded and attempt to steal
information from a cookie? All of those may be likely, but what I am going to talk about
next makes it a whole lot easier for an attacker.
Command Execution Vulnerability:
While playing around I noticed it was very easy to have commands that were called via the
GET method executed. This could also be very useful for an attacker if he or she were to
combine the above issues with the one I am talking about right now. To make things a
little clearer go into your phpBB admin panel and lets create a harmless test to see how
this works. We will use the word censor feature for this example since it is harmless
enough, but you could just as easily use one of the vulnerabilities found by me and
explained earlier in this paper. Go to the page in your phpBB admin panel titled "Word
Censors" aka "admin_words.php" Now make a word censor, can be anything. After it is done
get the link to delete the word censor you just made. For example see below what the link
looks like.
admin_words.php?mode=delete&id=1&sid=b48906073d7a8da0ecad3e35b1f4021b
The sid variable doesn't have to be there, and if it does then that particular file is
probably not vuln. Now we go into our user level account and make a post with an image
that has a link to the vuln command. Now when an admin views this bogus image the command
is executed. For example take the following post contents.
[img]http://host/login.php?logout=true[/img]
A post with this in it will log out whoever views it. Imagine how annoying it would be for
a user to have something like that in their signature. It would log out everyone who
viewed their post(s). This can be used with other files as well, not just the
"admin_styles.php", "admin_smilies.php", and "admin_words.php" My weekend is almost over
though :-\ So I do not have much more time to play around with this. But remember, this
works on users too, not just admins and mods. The only limits I have found really is it
only works on actions that get the values of it's variables from the GET method and not
the $HTTP_POST_VARS[] method, and do not check for valid session id's this includes
deleting posts, themes, smileys, word censors and more. This kind of activity could also
be used in signatures, pm's and the like too. Some files such as modcp.php seem to handle
sessions properly though, so they are not vulnerable. This is the code that checks for
valid session ID's If it is not present it is possibly a vulnerable file.
// session id check
if ($sid == '' || $sid != $userdata['session_id'])
{
message_die(GENERAL_ERROR, 'Invalid_session');
}
A quick grep of the phpBB2 directory will turn up lots of results. You can do that to see
which files are potentially vulnerable to this issue.
Solution:
I have corresponded wih the developers about these issues, and you can read that
correspondance at the following url.
http://www.gulftech.org/vuln/phpBBEmail.txt
I think the session cheacks are definately a potential danger, but I have fixed the
vulnerable admin files, and they can be downloaded at the link below. If you find any
problems with the fixes please let me know.
http://www.gulftech.org/vuln/phpBBadminFix.rar
I will post any updated correspondance in the previously mentioned file, so if you would
like to keep up on any progress made check there.
Credits:
Credits go to JeiAr of the GulfTech Security Research Team.
|
|
Go to the Top of This SecurityTracker Archive Page
|
