[原文]Interpretation conflict in resetpw.php in phpBannerExchange before 2.0 Update 6 allows remote attackers to execute arbitrary SQL commands via an email parameter containing a null (%00) character after a valid e-mail address, which passes the validation check in the eregi PHP command. NOTE: it could be argued that this vulnerability is due to a bug in the eregi PHP command and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in phpBannerExchange.
RedTeam has identified a SQL injection that can be triggered due to a lack of user input sanitization in phpBannerExchange versions 2.0 RC5 and below. It is possible to recover a password of a user and thereby overtake his account.
Advisory: Unauthorized password recovery in phpBannerExchange
RedTeam identified an SQL injection that can be triggered due to a bad
user input sanitization in phpBannerExchange. It is possible to recover
a password of an user and thereby overtake his account.
Affected Versions: All versions up to phpBannerExchange 2.0 RC5
Fixed Versions: 2.0 RC6
Vulnerability Type: Bad user input sanitization, SQL injection
Vendor-Status: informed, fixed version released
From the vendor's homepage:
phpBannerExchange is a PHP/mySQL script that allows virtually anyone
with minimal knowledge of PHP, mySQL and web hosting to run their own
If a user forgot the password of his phpBannerExchange account, he
can reset it by supplying his email address.
In "resetpw.php" the variable $email contains this email address,
which is then validated by a regular expression.
Due to a bug in the implementation of eregi(), it is possible to pass
additional characters by using a Null Byte "\0". Because the backend
of eregi() is implemented in C, $email is treated as a zero-terminated
string. All characters starting from the Null Byte on will not be
recognized by the regular expression. Therefore you can pass an email
address, that includes the special character "'" to break the following
48 $get_info=mysql_query("select * from banneruser where
After that, a new password for the chosen user is generated and sent via
68 mail($email,$usrsubject,$usrcontent,"From: $ownermail");
Note that mail() will treat $email as a zero-terminated string, too.
Thereby, an attacker can reset the password of a user account and send
it to his own email address.
Proof of Concept
Use following URLs with your favorite web browser:
to retrieve the password of the user with the email address
to retrieve the password of the user with user id "1".
Use PHP Magic Quotes.
Upgrade to version 2.0 RC6
The security risk is high because an attacker could gain access to an
administrator account and view and alter the database and hereby compromise
the whole application.
2006-06-09 Discovery of the problem
2006-06-10 Vendor is informed
2006-06-12 Vendor released fixed version
RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks are uncovered and can be
As there are only few experts in this field, RedTeam wants to share its
knowledge and enhance the public knowledge with research in security
related areas. The results are made available as public security
More information about RedTeam can be found at
RedTeam Pentesting Tel.: +49-(0)241-963 1300
Dennewartstr. 25-27 Fax : +49-(0)241-963 1304
52068 Aachen http://www.redteam-pentesting.de
PhpBannerExchange contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the resetpw.php script not properly sanitizing user-supplied input to the 'email' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Upgrade to version 2.0 RC6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.