pforum: mysql-injection-bug

From: Jens Liebchen (security@ppp-design.de)
Date: Sat Feb 16 2002 - 12:22:59 PST

Next message: Andrew Griffiths: "codeblue remote root"

Previous message: Powers, James L.: "SNMP test suite vs. Motorola SB4100 cable modem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ppp-design has found a mysql-injection-bug in pforum:


Details
-------
Product: pforum
Version: 1.14 and maybe all versions before
OS affected: all OS with php and mysql
Vendor-URL: www.powie.de
Vendor-Status: informed, workaround available
Security-Risk: Medium-High
Remote-Exploit: Yes


Introduction
------------
pforum is a www-board system using php and mysql. Although the author
seems to try to eliminate malicious code (eg. unwanted html-code) in the
inputs, he relies on php Magic-Quotes for adding slashes to some user
input. Therefore it is possible to use an sql-injection-attack to log in
as admin or user without having the correct password.


More details
------------
If the affected webserver has not enabled php's magic_quotes_gpc in the
php.ini, it is possible to login as any user, admin or moderator. So you
can eg. delete even complete boards.
Because the admin of the board may have no access to php.ini of the
webserver, he maybe cannot fix the bug easily on his own.
Not only the login page is affected, the changepassword form (and maybe
some other forms) are suffering the same sql-injection bug, too.


Proof-of-concept
----------------
Without having Magic-Quoted enabled, just login with the username
"admin' OR username='admin".
If the user admin is an existing user, you are logged in without the
propper pass. If the user admin is an administrator, you have all
administrator privileges on the board.
The same concept works for the changing password form. In case you have
forgotten your password you get a id via mail to your registered
emailaddress, so you can change your password to a new one. Here you
have to use changepass.php and enter your id like
"123' or 'a'='a"
to change your password to any desired one.


Temporary-fix
-------------
Enable magic_quotes_gpc in your php.ini.


Security-Risk
-------------
There are not many servers affected, because Magic-Quotes are enabled
per default when installing php. So we decided to rate the security risk
medium-high.


Vendor
------
The vendor reacted very quickly. With some assistance, he needed about 
24 hours for a patch. Although he hasn't made this patch until now, he 
has published the bug on his homepage and recomments our temporary fix 
(enabling magic_quotes_gpc) until the new version is released.
Because he made the bug allready public, there is no need for us to wait 
with the publication.


-- 
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A

Next message: Andrew Griffiths: "codeblue remote root"
Previous message: Powers, James L.: "SNMP test suite vs. Motorola SB4100 cable modem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 12:57:35 PST