phpBB Fixed full path disclosure in username handling - 2.0.11

[Aaron Horst <anthrax101 () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I. BACKGROUND

phpBB is a high powered, fully scalable, and highly customizable Open
Source bulletin board package. phpBB has a user-friendly interface,
simple and straightforward administration panel, and helpful FAQ.
Based on the powerful PHP server language and your choice of MySQL,
MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal free community solution for all web sites.

II. DESCRIPTION

The phpbb_clean_username function has an improper order of execution
allowing path and SQL table disclosure. The substr function should be
called before extra backslash (\) characters are stripped from the
string to force valid SQL requests. If it is not stripped after the
substr command, it is possible to remove the second backslash
character in a previously addslashes string (\). The following code
around line 80 in includes\functions.php is the problem:

$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);

This is a trivial error, not very worrying. In some configurations
this could possibly be used for either cross site scripting or SQL
injection, however it does not appear that phpBB v2.0.11 is
vulnerable to these attacks.

The following actions are susceptible to this attack:

Login
Password reminder
Add a member to a group
Post by a user who is not logged in
Search by username
Search for username
Send private message
View users profile

To attack any of these actions, attempt to submit the username
"ABCDEFGHIJKLMNOPQRSTUVWX\YZ" (Note \ character, there must be
trailing characters after that character)

III. FIX

To alleviate this issue, the code around line 80 of
includes\functions.php should be changed as follows:

$username = substr(htmlspecialchars(str_replace("\\'", "'",
trim($username))), 0, 25);
$username = rtrim($username, "\\");
$username = str_replace("'", "\\'", $username);

An upgrade to phpBB v2.0.12 includes this fix.

III. ANALYSIS

This report was created based on phpBB v2.0.11. It was discovered on
12/30/04. It was also independently discovered by kaosone+[ONE]+ on
2/19/04, and posted to the bugtraq mailing list.



AnthraX101

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQhq/Aw4h295M1tC9EQJW2wCgh8jhb97Vc4ZlUkzm/i5VtEiBQ1QAoKuH
UMHOhx0R9jRTU58YO5Oq91C5
=192I
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html