[VIM] [OSVDB Mods] [Change Request] 21565: phpBB Blog index.php permalink Variable SQL Injection (fwd)
security curmudgeon
jericho at attrition.org
Fri Jan 13 08:33:13 EST 2006
---------- Forwarded message ----------
From: Tony Boyd
To: security curmudgeon <jericho at attrition.org>
Cc: moderators at osvdb.org
Date: Fri, 13 Jan 2006 05:32:09 -0800
Subject: Re: [OSVDB Mods] [Change Request] 21565: phpBB Blog index.php permalink
Variable SQL Injection
Brian,
No errors. See here:
http://www.outshine.com/phpbbblog/demo/?permalink=302'
http://www.outshine.com/phpbbblog/demo/?permalink=302';SHOW TABLES:
http://www.outshine.com/phpbbblog/demo/?permalink=302';'SELECT * FROM foo'
Since my program strips everything except numbers, only "302" appears in the
SQL query.
-Tony
security curmudgeon wrote:
> Hi Tony,
>
> : I believe your notice about SQL injection into phpBB Blog is incorrect.
> : : As the author, I saw the advisory, and attempted to do as shown (append :
> SQL to the URL string). The SQL was not executed.
> : : In addition, the advisory suggests that the script is not properly :
> sanitizing user-supplied input to the "permalink" variable. However, it :
> is. This line in blog.php sanitizes the data:
> : : $perma_id = preg_replace("/[^0-9]/", "", $_GET['permalink']);
>
> Can you try supplying a single quote character (') to the variable, and see
> if throws an SQL error? The person who originally found this is well known
> for only performing that test before claiming "sql injection". If it does
> throw an SQL error, that is what prompted his assumption, even if the
> variable is sanitized. 9 times out of 10, seeing an SQL error in such a case
> *is* an indication of injection possibility. However, 1 out of 10 it's a
> false positive =)
>
> Brian
> OSVDB.org
>
>
>
More information about the VIM
mailing list