[VIM] [OSVDB Mods] [Change Request] 21565: phpBB Blog index.php permalink Variable SQL Injection (fwd)

security curmudgeon jericho at attrition.org
Fri Jan 13 08:33:13 EST 2006

---------- Forwarded message ----------
From: Tony Boyd
To: security curmudgeon <jericho at attrition.org>
Cc: moderators at osvdb.org
Date: Fri, 13 Jan 2006 05:32:09 -0800
Subject: Re: [OSVDB Mods] [Change Request] 21565: phpBB Blog index.php permalink
      Variable SQL Injection


No errors.  See here:

http://www.outshine.com/phpbbblog/demo/?permalink=302';SHOW TABLES:
http://www.outshine.com/phpbbblog/demo/?permalink=302';'SELECT * FROM foo'

Since my program strips everything except numbers, only "302" appears in the 
SQL query.


security curmudgeon wrote:

> Hi Tony,
> : I believe your notice about SQL injection into phpBB Blog is incorrect.
> : : As the author, I saw the advisory, and attempted to do as shown (append : 
> SQL to the URL string).  The SQL was not executed.
> : : In addition, the advisory suggests that the script is not properly : 
> sanitizing user-supplied input to the "permalink" variable.  However, it : 
> is.  This line in blog.php sanitizes the data:
> : : $perma_id = preg_replace("/[^0-9]/", "", $_GET['permalink']);
> Can you try supplying a single quote character (') to the variable, and see 
> if throws an SQL error? The person who originally found this is well known 
> for only performing that test before claiming "sql injection". If it does 
> throw an SQL error, that is what prompted his assumption, even if the 
> variable is sanitized. 9 times out of 10, seeing an SQL error in such a case 
> *is* an indication of injection possibility. However, 1 out of 10 it's a 
> false positive =)
> Brian
> OSVDB.org

More information about the VIM mailing list