Related information

CGI bugs

Выполнение произвольного кода в Achims Guestbook

bblog 0.7.2 cross site scripting

[waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8    and in older versions]

[waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8    SP3 and 1.9 beta]

From:	Janek Vind <come2waraxe_(at)_yahoo.com>
Date:	24.03.2004
Subject:	[waraxe-2004-SA#009 - Non-critical Sql injection and XSS bug in PhpBB 2.0.6c]

{================================================================================
}
{                              [waraxe-2004-SA#009]                              }
{================================================================================
}
{                                                                                }

{            [ Non-critical Sql injection and XSS bug in PhpBB 2.0.6c ]          }
{                                                                                }

{================================================================================
}
                                                                                 
     
Author: Janek Vind "waraxe"
Date: 16. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PhpBB is widely used and very popular forum software, written in php.
Homepage:  http://www.phpbb.com/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Original code from  admin_words.php, $Id: admin_words.php,v 1.10.2.2 2002/05/12
15:57:45,
starting from line 74:

-------------------------------

if( $mode == "edit" )
               {
                       if( $word_id )
                       {
                               $sql = "SELECT *
                                       FROM " . WORDS_TABLE . "
                                       WHERE word_id = $word_id";
                               if(!$result = $db->sql_query($sql))
                               {
                                       message_die(GENERAL_ERROR, "Could not query
words table", "Error", __LINE__, __FILE__, $sql);
                               }

                               $word_info = $db->sql_fetchrow($result);
                               $s_hidden_fields .= '<input type="hidden" name="id"
value="' . $word_id . '" />';
                       }
                       else
                       {
                               message_die(GENERAL_MESSAGE, $lang['No_word_selected']);
                       }
               }

--------------------------------

As we can see, parameter $word_id is submitted to sql query WITHOUT single quotes,
therefore
it's possible sql injection, for example with UNION method:


http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=-
1%20UNION%20ALL%20SELECT%20null/*

and we get error feedback:

------------------------------------------------

Error Could not query words table

DEBUG MODE

SQL Error : 1222 The used SELECT statements have a different number of columns

SELECT * FROM phpbb_words WHERE word_id = -1 UNION ALL SELECT null/*

Line : 83
File : D:\apache_wwwroot\phpbb206c\admin\admin_words.php

------------------------------------------------

By implementing so-called "blind" sql injection methods, we can pull out from sql
database any
information. So why i'm categorizing this bug as "non-critical"? Because we need first
log in as
forum administrator to make successful attack. So it's not so "useful" security bug ;)
But let's think again - what, if we make such request:


http://localhost/phpbb206c/admin/admin_words.
php?mode=edit&id=1/*"><script>alert(document.
cookie);</script


So, in this way we can turn not-so-useful sql injection bug to very useful xss exploit.




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Greets to torufoorum staff and to all IT security related people in Estonia!
Tervitused!
Special greets to ulljobu!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   come2waraxe@yahoo.com
   Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------