Bugtraq mailing list archives

Re: phpBB 2.06 search.php SQL injection

From: Jay Gates <zarath () knightsofchaos com>
Date: 28 Nov 2003 10:04:28 -0000

In-Reply-To: <3FC680E1.20563.5632F88@localhost>

Greetings BugTraq,

I have tested this vulnerability fairly extensively since it was announced on phpBB.com. Even though the version I'm 
using clearly has the vulnerable code it in, it does not seem to work as easily as this is being made out. My server is 
running PHP 4.3.4, and MySQL 4.0.15. The way I tested (which you didn't provide any proof of concept code) was through 
a UNION command -> http://yourdomain/yourforums/search.php?search_id=1 UNION select `user_password` from `phpbb_users` 
where user_id=1/* 

However, due to the fact that it uses an array function to pull all the relative information and the hash returns a 
single value without the seperators, it won't acknowledge that a result was returned.

If you try -> http://yourdomain/yourforums/search.php?search_id=1 or 1=1 UNION select `user_password` from 
`phpbb_users` where user_id=1/*
It will return all search results, but since it will only handle the first returned column and doesn't loop over them, 
it still won't display the password hash.

From what I've tried so far, this doesn't really seem to be a critical vulnerability -- just an SQL injection that 
would allow you to get maybe the prefix of the forum tables or other insignifcant information.


The SQL injection still exists if that URL you specified "http://your_site/phpBB2/search.php?search_id=1"; returns "No 
topics or posts met your search criteria", also. A better way to test would be to mess with the query. Something like 
-> http://your_site/phpBB2/search.php?search_id=1 or blah=blah if that returns a debugging error, that means your 
boards are vulnerable.

Zarath

Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
Date: Thu, 27 Nov 2003 22:55:29 +0100
From: n.teusink () planet nl
Subject: phpBB 2.06 search.php SQL injection
To: bugtraq () securityfocus com
Message-id: <3FC680E1.20563.5632F88@localhost>
MIME-version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
Priority: normal

Hello bugtraq readers,

A vulnerability exists in phpBB 2.06 that could allow an attacker to manipulate SQL 
queries and gain administrative control over the forum.
The search.php script of the application does not sufficiently sanitize the input of the 
"search_id" parameter. As a result of this an attacker could manipulate the SQL 
query the script performs and potentially extract information such as password 
hashes from the database.

Impact
-----------

The impact depends on the database solution in use. When testing the bug with 
MySQL 4 on Apache 2 with PHP4, I was able to obtain my board administrator MD5 
password hash. Armed with this hash an attacker could modify his cookie accordingly 
and log in as administrator without having to decode the hash. The attacker would 
then have complete control over the board and could execute other SQL queries from 
the admin panel.

Patch
-----------

I notified the the phpBB 2.06 developers and they have patched the script. phpBB 
users should download the latest 2.06 version from http://www.phpbb.com
A way to manually fix the issue can be found here: 
http://www.phpbb.com/phpBB/viewtopic.php?t=153818

A simple way to test if the bug is patched is:
http://your_site/phpBB2/search.php?search_id=1If patched, this should return the message "No topics or posts met your 
search 
criteria". If unpatched you will get an SQL error (or just a general error if DEBUG 
mode is off).

Cheers,

Niels Teusink

www.teusink.net

Current thread:

phpBB 2.06 search.php SQL injection n . teusink (Nov 27)
- <Possible follow-ups>
- Re: phpBB 2.06 search.php SQL injection Jay Gates (Nov 28)
- Re: phpBB 2.06 search.php SQL injection n . teusink (Nov 28)
- Re: phpBB 2.06 search.php SQL injection Hat-Squad Security Team (Nov 29)