phpGB: mysql injection bug

From: ppp-design (security@ppp-design.de)
Date: Mon Sep 09 2002 - 00:18:24 PDT

Next message: Eric Stevens: "RE: PHP header() CRLF Injection"

Previous message: Daniel Ahlberg: "GLSA: glibc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following mysql-injection-bug in phpGB:


Details
- -------
Product: phpGB
Affected Version: 1.20 and maybe all versions before
Immune Version: 1.40
OS affected: all OS with php
Vendor-URL: http://www.walzl.net
Vendor-Status: informed, new version avaiable
Security-Risk: medium - high
Remote-Exploit: Yes


Introduction
- ------------
phpGB ist a php/mysql based guestbook. Admin can change all settings
within a php interface. Unfourtunately the author relies on php
Magic-Quotes for adding slashes to some user input without mentioning
this anywhere in the docs. Therefore it is possible to use an
sql-injection-attack to log in as admin without having the correct
password, when magic_quotes_gpc is not enabled.


More details
- ------------
If the affected webserver has not enabled php's magic_quotes_gpc in
the php.ini, it is possible to login as administrator without needing
any password. The affected page for the login is /admin/login.php. A
possible blackhat is able to add new admins, delete or edit any
guestbook entries and change any configuration including sql-server
settings.


Proof-of-concept
- ----------------
Use an existend administrator name (default is admin here) and use the
following password:
"' OR 'a'='a"
You will be authenticated if magic_quotes_gpc is not enabled.


Temporary-fix
- -------------
Enable magic_quotes_gpc in php.ini.


Fix
- ---
phpGB 1.30 is not fixing this vulnerability correctly, so use phpGB 1.40.


Security-Risk
- -------------
There are not many servers affected, because Magic-Quotes are enabled
per default when installing php. So we decided to rate the security
risk medium-high.


Vendor status
- -------------
After we have informed the author he needed about 12 hours for a new
version. Unfortunately he made a misstake and so only v1.40 which was
released one week later fixes this vulnerability completely.


- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE9fEtADXh7YLO1RRoRAqCtAJoD6Fzuizqaf+mIubbbCkdAH09MRgCeInZf
XOvAVxH/n2kQ0JXKBVyzf/c=
=UTBJ
-----END PGP SIGNATURE-----

Next message: Eric Stevens: "RE: PHP header() CRLF Injection"
Previous message: Daniel Ahlberg: "GLSA: glibc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 09:55:07 PDT