TUCoPS :: Web BBS :: Frequently Exploited :: hack1163.htm

phpBB 2.06 search.php SQL injection
Fw: phpBB 2.06 search.php SQL injection 


----- Original Message -----
From:  
To:  
Sent: Thursday, November 27, 2003 1:55 PM
Subject: phpBB 2.06 search.php SQL injection


> Hello bugtraq readers,
>
> A vulnerability exists in phpBB 2.06 that could allow an attacker to
manipulate SQL
> queries and gain administrative control over the forum.
> The search.php script of the application does not sufficiently sanitize
the input of the
> "search_id" parameter. As a result of this an attacker could manipulate
the SQL
> query the script performs and potentially extract information such as
password
> hashes from the database.
>
> Impact
> -----------
>
> The impact depends on the database solution in use. When testing the bug
with
> MySQL 4 on Apache 2 with PHP4, I was able to obtain my board administrator
MD5
> password hash. Armed with this hash an attacker could modify his cookie
accordingly
> and log in as administrator without having to decode the hash. The
attacker would
> then have complete control over the board and could execute other SQL
queries from
> the admin panel.
>
> Patch
> -----------
>
> I notified the the phpBB 2.06 developers and they have patched the script.
phpBB
> users should download the latest 2.06 version from http://www.phpbb.com 
> A way to manually fix the issue can be found here:
> http://www.phpbb.com/phpBB/viewtopic.php?t=153818 
>
> A simple way to test if the bug is patched is:
> http://your_site/phpBB2/search.php?search_id=1\ 
> If patched, this should return the message "No topics or posts met your
search
> criteria". If unpatched you will get an SQL error (or just a general error
if DEBUG
> mode is off).
>
> Cheers,
>
> Niels Teusink
>
> www.teusink.net

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH