R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Monday, 21st April 2014 @ 10:35:39 GMT 
Reports | phpBB 2.0.5 (latest release) SQL injection vulnerability
{21st Jun 2003}
A recent post to the BugTraq mailing list reveled yet another vulnerability found in phpBB "a high powered, fully scalable, and highly customisable open-source bulletin board package".

The post contains ingenious proof of concept code, to circumvent phpBB's inbuilt security measures, specifically the fact that with this vulnerability, only integers can be passed back to the client.  In this case the MD5 password hash of a specific user is passed back one character at a time.

The attack was found to be successful when carried out against a test machine setup running "mysql Ver 12.20 Distrib 4.0.13" however only when PHP was configured with the ‘register_globals' variable set to on - a common configuration on most web servers, which will hopefully be eradiated with the increased implementation of PHP 4 (defaults to setting register_globlals = off).

For the test scenario a user was registered on the phpBB board with username ‘test', and password ‘test123'. The MD5 hash of ‘test123' (cc03e747a6afbbcbf8be7668acfebee5) was gained by executing the following Perl code:
use Digest::MD5 qw(md5_hex);
$digest = md5_hex("test123");
print "$digest\n";

Next the provided exploit code was run using the following command:
perl phpsqlexploit.pl localhost http://localhost/phpBB2/viewtopic.php 3

which issued the response :
Trying to get password hash for uid 3 server localhost dbtype: mysql4
MD5 Hash for uid 3 is cc03e747a6afbbcbf8be7668acfebee5

Note: The MD5 hash gained from the exploit can be see to match that of the known hash for the password ‘test123'.

Once gained by the attacker, the MD5 password hash can be used in two main ways.  An attempt can be made to brute force it (a 7 character password on a reasonable spec' machine would take a couple of hours) or it can be inserted into a custom made HTTP get request - both methods lead to successful compromise of a phpBB user account.

Actual log entries gained from a successful attack, along with the raw HTML traffic sent back by the client, are available for download from: content/temp/phpbb_sql_int_inqection.txt

Telltale signs of attack are 32 sequential log entries with the following common string "viewtopic.php?sid=1&topic_id=-1".

The emergence, and sheer ingenuity of this code is likely to send a harsh wakeup call to PHP / SQL developers everywhere about the potential security consequences of allowing user specified integers back to clients.

A fix for those running phpBB is available from: http://www.phpbb.com/phpBB/viewtopic.php?t=112052