Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SQL Injection in phpBB's groupcp.php

From: Jay Gates <zarath () knightsofchaos com>
Date: 29 Dec 2003 14:08:37 -0000


BugTraq,

I have found an SQL injection vulnerability in phpBB. Hoever, I don't think this is going to be be a wide spread 
problem as it will only work if you are the moderator of a group.

How the SQL injection works:

In groupscp, it uses an array set to delete members from certain groups. This array set is sent through a quick loop to 
put all the values into a variable seperated by , s and then used in an IN check in the SQL query to delete the members 
that you've selected. 
Code:
$members = ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) ? $HTTP_POST_VARS['pending_members'] 
: $HTTP_POST_VARS['members'];

$sql_in = '';
for($i = 0; $i < count($members); $i++)
{
        $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];
}

After this the $sql_in variable is not checked or changed at all, and this is where I found the SQL injection to be 
possible... There are two places this is used, first is through a check on if you're the moderator of a group, if you 
are it will run an if IN check on the array first:

$sql = "SELECT ug.user_id, ug.group_id 
        FROM " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug 
        WHERE ug.user_id IN  ($sql_in) 
        AND aa.group_id = ug.group_id 
        AND aa.auth_mod = 1 
        GROUP BY ug.user_id, ug.group_id 
        ORDER BY ug.user_id, ug.group_id";


From this, it will pull a list of the users in the group and if they're moderators from being in the group... If they 
are, it will remove their securities.


Now the second one becomes more critical, this is after the check on if moderator:

$sql = "DELETE FROM " . USER_GROUP_TABLE . " 
        WHERE user_id IN ($sql_in) 
        AND group_id = $group_id";

Since this again uses an IN check on the unchecked $sql_in, you can easily replace it with something such as $sql_in = 
1) or 1=1/*
That would cause, every person in a group to be automatically deleted from it.

To fix this vulnerability, it's fairly simple. Open your groupcp.php file.
Find
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];

and replace it with
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . intval($members[$i]);


I'm providing no proof of concept code because you can easily check if you're vulnerable by searching for the first 
line in your groupcp.php file.

Thanks,
  Zarath
Previous By Date Next
Previous By Thread Next

Current thread: