Possible phpBB <=2.0.11 bug or sql injection? [Archief]

Bekijk Volledige Versie : Possible phpBB <=2.0.11 bug or sql injection?

18/02/05, 02:05

Since phpbb's website says not to post it on their forum, I guess I'll post my findings here.

http://www.phpbb.com/phpBB/search.php?search_author=\*\'fnfnfffffa,'\*\*\cdf

or

http://www.phpbb.com/phpBB/search.php?search_author=\*\*\*\*\*\*\*\*\*\

It seems it has something to do with the the \'s *'s and length. I am not sure if this is a big bug but I decided to try that after looking at search.php
************************************************

$search_author = str_replace('*', '%', trim($search_author));

$sql = "SELECT user_id
FROM " . USERS_TABLE . "
WHERE username LIKE '" . str_replace("\'", "''", $search_author) . "'";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, "Couldn't obtain list of matching users (searching for: $search_author)", "", __LINE__, __FILE__, $sql);
}
*********************************************

Not sure if this is anything, but it seems to be running in the sql and erroring.

Thanks for your time,
jtm

Exoduks

19/02/05, 00:55

In-Reply-To: <20050217095457.23821.qmail@www.securityfocus.com>

>
>http://www.phpbb.com/phpBB/search.php?search_author=\*\'fnfnfffffa,'\*\*\cdf
>
>or
>
>http://www.phpbb.com/phpBB/search.php?search_author=\*\*\*\*\*\*\*\*\*

I have notice that this only works is php.ini is set like this:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Miguel Angel Rodríguez Jódar

19/02/05, 04:05

> It seems it has something to do with the the \'s *'s and length. I am not
sure if this is a big bug but I decided to
> try that after looking at search.php

Not sure either but I think it's quite serious as the name of the database,
among other things, is displayed.
Maybe it's good idea to alter that line so "irrelevant" information remains
hidden (at least until a better solution arrives):

if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, "Couldn't obtain list of matching users
(searching for: $search_author)");
}

--
Miguel Angel Rodriguez Jodar | http://www.atc.us.es
Departamento de Arquitectura y Tecnologia de Computadores
Universidad de Sevilla
Spain

Giacomo Rizzo

20/02/05, 09:05

--=-GnmSmicen/7zBrtzU9ca
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

It does not seems to be a SQL injection vulnerability. In fact, it just
looks like a wrong replacement, but it's confined into the 'string'.

Actually the real problem is that this error, when debug mode is active,
make anyone discover the $prefix value, that should be kept secret in
case of blind sql injections...

Gacomo
--=20
# @@@
# (0 0)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 DooO=3D(_)=3DOoo=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Nome: Giacomo Rizzo [ aka: alt-os ] - http://www.free-os.it
# OS: Gnu (Slackware 10.0/Linux 2.6.7)
# --
# Coordinatore HANC (http://www.hancproject.org)
# Coordinatore POuL (http://www.poul.org)
# --
# Linux Registered User: #331781, Linux Registered Machine: #216123
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D

--=-GnmSmicen/7zBrtzU9ca
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBCFa83F09WJlABJ30RAsW4AJwJBsU4dZWjCl4a1NwO4S bj6OQfnQCcDl60
SBk5pEq6sEJ19FPu6mOYL48=
=FrxG
-----END PGP SIGNATURE-----

--=-GnmSmicen/7zBrtzU9ca--