Hi, there is a a potential security problem in the current version 1.4.2 and previous versions of phpBB (http://www.phpbb.com). A remote user is able to modify a string passed as a SQL query to the MySQL database. The problem exists in the file bb_memberlist.php. A string called $sortby is supplied through the URI and directly inserted into a SQL query string if it doesn't match the cases of the previous switch statement. [snip] switch($sortby) { case '': [...] case 'posts': [...] } $sql = "SELECT * FROM users WHERE [...] ORDER BY $sortby"; [snap] This is a typical example of bad coding practice, the obligate "default:" label has been forgotten/left out/whatever. You can easily verify this problem by testing: http://phpbb.sourceforge.net/phpBB/bb_memberlist.php?sortby=user_regdate As you can see the user lists is sorted by the registration date that is stored in the column user_regdate. This is not a feature it's a bug ;). I am not sure if this problem might be abused to insert, delete or update data inside the MySQL database. This part is up to the PHP hackers. I have sent two mails regarding this problem to the phpBB developers around the 12th of September and didn't get any reply. I think that all phpBB users should know about this problem and maybe add the missing "default:" statement themselves. Regards, Konrad -- Konrad Rieck <krat_private> Roqefellaz - http://www.roqe.org, Public Key http://www.roqe.org/keys/kr.pub -- Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3
This archive was generated by hypermail 2b30 : Mon Oct 08 2001 - 22:08:49 PDT