Search | Research | Contact Us Thursday January 5, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 eBay And Amazon Still Vulnerable
  4 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  5 Woltlab Burning Board SQL Injection Vulnerability
  6 When Small Mistakes Can Cause Big Problems
  7 Multiple Vulnerabilities In phpWebsite
  8 Critical Vulnerability In Help Center Live
  9 dbPowerAmp Buffer Overflow And DoS Vulnerabilities
10 Document Object Model Hijacking Explained
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
phpBB Notes Mod SQL Injection Vulnerability
April 27, 2022
Vendor : Oxpus
URL : http://www.oxpus.de/
Version : All Versions
Risk : SQL Injection


Description:
oxpus.de author many popular modules and hacks for the amazingly popular phpBB software. One of these modules allows users to keep their own personal memo pad of sorts in the usercp. This particular mod comes standard with packages like orion_phpbb and others. This "notes" module is vulnerable to a serious SQL Injection vulnerability that will allow for an attacker to pull sensitive information from the underlying database, and possibly compromise the integrity of the affected phpBB installation.


SQL Injection:
There is a high risk SQL Injection issue in the phpBB notes module that allows for malicious users to pull sensitive data from the underlying database and possibly compromise the affected phpBB installation. Let's have a look at part of the vulnerable code.
if ( $mode == 'editpost' )
{
	$sql = "SELECT * FROM " . NOTES_TABLE . "
			WHERE post_id = ".$post_id."
			AND poster_id = " . $userdata['user_id'] . " ";
		if (!$result = $db->sql_query($sql))
		{
			message_die(GENERAL_ERROR, "Couldn't query notes table", '', __LINE__, __FILE__, $sql);
		}
		else
		{
			while( $row = $db->sql_fetchrow($result) )
			{
				$subject = $row['post_subject'];
				$bbcode_on = $row['bbcode'];
				$smilies_on = $row['smilies'];
				$acronym_on = $row['acronym'];
				$uid = $row['bbcode_uid'];
				$message = $row['post_text'];
				if ( $row['bbcode_uid'] != '' )
				{
					$message = preg_replace('/\:(([a-z0-9]:)?)' . $uid . '/s', '', $message);
				}
			}
		}
	$page_title = $lang['Edit_Post'];
}
As we can see from this code $post_id is not encapsulated in single quotes. This is appropriate as the expected data type is an integer, but the incoming data is never checked for arbitrary content. The below example can be used to pull a username from the database, but could just as easily be something less "benign".

http://localhost/posting_notes.php?mode=editpost&p;=-99%20UNION%20SELECT%200,0, username,0,0,0,0,0,0%20FROM%20orionphpbb_users%20WHERE%20user_id=2/*

It should also be noted that other functions in the posting_notes.php file are vulnerable as well (i.e.: the delete function). On a side note I would like to send a reminder to ALL webmasters. Whenever you download a third party module from a website there is usually no guarantee or assurance that the code is safe. It is up to you to either have a professional view the code for you, or view it yourself at least before putting it in a place where the general public has access to it.


Solution:
I found this issue in Orion PhpBB, and contacted Sonny from cback.de. He was very helpful and prompt in his response, and has created a mod to help prevent these types of issues. The CrackerTracker mod is found here.

http://community.cback.de/printview.php?t=1724

I believe the new versions of orion phpBB have the fixed files, and if not oxpus.de should have a fix out soon as Sonny has contacted them :)


Credits:
James Bercegay of the GulfTech Security Research Team