[VulnWatch] phpBB password disclosure by sql injection

From: Rick (rikulat_private)
Date: Thu Jun 19 2003 - 00:27:37 PDT

Next message: thomas adams: "SurfControl Web Filter for Microsoft ISA Server Vulnerability"

Previous message: Tiago Halm: "[Full-Disclosure] [ANNOUNCE]: IISBanner 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

There is sql injection vuln in phpBB. The variable "topic_id" is passed
directly from GET to sql query in /viewtopic.php. It can be used 
to get md5 passwords for users. I am attaching details and proof of
concept code.  I've only tested this on mysql 4 and pgsql at my home
machines so I might have missed something...

Rick Patel

application/octet-stream attachment: phpbb_sql.pl

Next message: thomas adams: "SurfControl Web Filter for Microsoft ISA Server Vulnerability"
Previous message: Tiago Halm: "[Full-Disclosure] [ANNOUNCE]: IISBanner 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 10:46:28 PDT