Rootsecure Homepage
About RootSecure
Lite Edition
User Area
Audio News
Daily Newsletter
Site News Archives
Sources News Archive
SecNews RSS Feeds
SecNews Console
Links:
Videos
Security
Hacking
Wireless
Downloads:
Other
Perl Scripts
Audio Clips
Win32 Tools
Media Archive
PDF Documents
Reports
Hacker Gear
Win' Error Pic's
ASCII Generator
Your IP Address
RootSecure:
Contact
Search
Publicity
Affiliates
Attack Statistics
Syndication
(RSS/XML Feed)
Privacy Policy
Hits: 111,124,788
(Since 06/09/02)
Admin Telnet
HoneyPot Project
|
|
|
|
Reports | phpBB 2.0.5 (latest release) SQL injection vulnerability
{21st Jun 2003} |
|
|
A recent post to the BugTraq
mailing list reveled yet another vulnerability
found in phpBB "a high powered, fully scalable, and highly customisable
open-source bulletin board package".
The post contains ingenious
proof of concept code,
to circumvent phpBB's inbuilt security measures, specifically the fact that with
this vulnerability, only integers can be passed back to the client. In this case
the MD5 password hash of a specific user is passed back one character at a time.
The attack was found to be successful when carried out against a test machine
setup running "mysql Ver 12.20 Distrib 4.0.13" however only
when PHP was configured with the ‘register_globals' variable set to on - a
common configuration on most web servers, which will hopefully be
eradiated with the
increased implementation of PHP 4 (defaults to setting register_globlals =
off).
For the test scenario a user was registered on the phpBB board with username ‘test', and password
‘test123'. The MD5 hash of ‘test123' (cc03e747a6afbbcbf8be7668acfebee5) was
gained by executing the following Perl code:
use Digest::MD5 qw(md5_hex);
$digest = md5_hex("test123");
print "$digest\n";
Next the provided exploit code was run using the following command:
perl phpsqlexploit.pl localhost http://localhost/phpBB2/viewtopic.php
3
which issued the response :
Trying to get password hash for uid 3 server localhost
dbtype: mysql4
MD5 Hash for uid 3 is cc03e747a6afbbcbf8be7668acfebee5
Note: The MD5 hash gained from the exploit can be see to match that of the known
hash for the password ‘test123'.
Once gained by the attacker, the MD5 password hash can be used in two main ways.
An attempt can be made to
brute force
it (a 7 character password on a reasonable spec' machine would take a couple of
hours) or it can be inserted into a custom made HTTP get request - both methods
lead to successful compromise of a phpBB user account.
Actual log entries gained from a successful attack, along with the raw HTML
traffic sent back by the client, are available for download from:
content/temp/phpbb_sql_int_inqection.txt
Telltale signs of attack are 32 sequential log entries with the following common
string "viewtopic.php?sid=1&topic_id=-1".
The emergence, and sheer ingenuity of this code is likely to send a harsh wakeup
call to PHP / SQL developers everywhere about the potential security
consequences of allowing user specified integers back to clients.
A fix for those running phpBB is available from:
http://www.phpbb.com/phpBB/viewtopic.php?t=112052
|
|