COMMAND

	mysql injection bug

SYSTEMS AFFECTED

	Version: 1.14 and maybe all versions before

PROBLEM

	ppp-design [http://www.ppp-design.de] found following :
	

	pforum is a www-board system using php and mysql.  Although  the  author
	seems to try to eliminate malicious code  (eg.  unwanted  html-code)  in
	the inputs, he relies on php Magic-Quotes for  adding  slashes  to  some
	user input. Therefore it is possible to use an  sql-injection-attack  to
	log in as admin or user without having the correct password.
	

	

	If the affected webserver has not  enabled  php\'s  magic_quotes_gpc  in
	the php.ini, it is possible to login as any user,  admin  or  moderator.
	So you can eg. delete even complete boards. Because  the  admin  of  the
	board may have no access to php.ini of the webserver,  he  maybe  cannot
	fix the bug easily on his own. Not only the login page is affected,  the
	changepassword form (and maybe some other forms) are suffering the  same
	sql-injection bug, too.
	

	

	Without having  Magic-Quoted  enabled,  just  login  with  the  username
	\"admin\' OR username=\'admin\". If the user admin is an existing  user,
	you are logged in without the propper pass. If  the  user  admin  is  an
	administrator, you have all administrator privileges on the  board.  The
	same concept works for the changing password  form.  In  case  you  have
	forgotten your password you  get  a  id  via  mail  to  your  registered
	emailaddress, so you can change your password to a  new  one.  Here  you
	have  to  use  changepass.php  and  enter  your  id  like   \"123\'   or
	\'a\'=\'a\" to change your password to any desired one.
	

	

	

SOLUTION

	 Temporary-fix

	 -------------

	Enable magic_quotes_gpc in your php.ini.
	

	Patch will be available soon.