8011291 2002-02-16 21:22 +0100 /82 rader/ Jens Liebchen <security@ppp-design.de> Sänt av: joel@lysator.liu.se Importerad: 2002-02-16 22:01 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <21021> Ärende: pforum: mysql-injection-bug ------------------------------------------------------------ From: Jens Liebchen <security@ppp-design.de> To: bugtraq@securityfocus.com Message-ID: <3C6EBFA3.8070209@ppp-design.de> ppp-design has found a mysql-injection-bug in pforum: Details ------- Product: pforum Version: 1.14 and maybe all versions before OS affected: all OS with php and mysql Vendor-URL: www.powie.de Vendor-Status: informed, workaround available Security-Risk: Medium-High Remote-Exploit: Yes Introduction ------------ pforum is a www-board system using php and mysql. Although the author seems to try to eliminate malicious code (eg. unwanted html-code) in the inputs, he relies on php Magic-Quotes for adding slashes to some user input. Therefore it is possible to use an sql-injection-attack to log in as admin or user without having the correct password. More details ------------ If the affected webserver has not enabled php's magic_quotes_gpc in the php.ini, it is possible to login as any user, admin or moderator. So you can eg. delete even complete boards. Because the admin of the board may have no access to php.ini of the webserver, he maybe cannot fix the bug easily on his own. Not only the login page is affected, the changepassword form (and maybe some other forms) are suffering the same sql-injection bug, too. Proof-of-concept ---------------- Without having Magic-Quoted enabled, just login with the username "admin' OR username='admin". If the user admin is an existing user, you are logged in without the propper pass. If the user admin is an administrator, you have all administrator privileges on the board. The same concept works for the changing password form. In case you have forgotten your password you get a id via mail to your registered emailaddress, so you can change your password to a new one. Here you have to use changepass.php and enter your id like "123' or 'a'='a" to change your password to any desired one. Temporary-fix ------------- Enable magic_quotes_gpc in your php.ini. Security-Risk ------------- There are not many servers affected, because Magic-Quotes are enabled per default when installing php. So we decided to rate the security risk medium-high. Vendor ------ The vendor reacted very quickly. With some assistance, he needed about 24 hours for a patch. Although he hasn't made this patch until now, he has published the bug on his homepage and recomments our temporary fix (enabling magic_quotes_gpc) until the new version is released. Because he made the bug allready public, there is no need for us to wait with the publication. -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A (8011291) /Jens Liebchen <security@ppp-design.de>/--