mailing list archives
Re: phpBB 2.06 search.php SQL injection
From: n.teusink () planet nl
Date: Fri, 28 Nov 2003 23:25:50 +0100
An exploit has been released by bugtraq by some other group, the issue is
unfortunately not minor... As the exploit shows, the trick is to mimic a search_array.
I was planning on releasing more technical details later, when everybody had a
chance to patch his/her forum.
About my test URL, you are absolutely right, the test url does not work. This is
because in my original mail, the test url was:
somewhere along the way, that backslash ended up just escaping the newline
character. My sincere apologies for the problems this may have caused.
zarath AT knightsofchaos DOT com wrote:
I have tested this vulnerability fairly extensively since it was announced on
Even though the version I'm using clearly has the vulnerable code it in,
it does not seem to work as easily as this is being made out. My server is running
PHP 4.3.4, and MySQL 4.0.15. The way I tested (which you didn't provide any proof
of concept code) was through a UNION command ->
UNION select `user_password` from `phpbb_users` where user_id=1/*
However, due to the fact that it uses an array function to pull all the relative
and the hash returns a single value without the seperators, it won't
acknowledge that a result was returned.
If you try -> http://yourdomain/yourforums/search.php?search_id=1 or 1=1 UNION
`user_password` from `phpbb_users` where user_id=1/*
It will return all search results, but since it will only handle the first returned
column and doesn't loop over them, it still won't display the password hash.
From what I've tried so far, this doesn't really seem to be a critical vulnerability
-- just an SQL injection that would allow you to get maybe the prefix of the
forum tables or other insignifcant information.
The SQL injection still exists if that URL you specified
returns "No topics or posts met your search criteria", also.
A better way to test would be to mess with the query. Something like ->
or blah=blah if that returns a debugging
error, that means your boards are vulnerable.