[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7]
From: Janek Vind <come2waraxe () yahoo ! com>
Date: 2004-04-18 19:39:47
Message-ID: 20040418193947.26907.qmail () search ! securityfocus ! com
[Download RAW message or body]
{================================================================================}
{ [waraxe-2004-SA#019] }
{================================================================================}
{ }
{ [ Critical sql injection bug in Phorum 3.4.7 ] }
{ }
{================================================================================}
\
Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=19
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Phorum is a web based message board written in PHP. Phorum is designed with
high-availability and visitor ease of use in mind. Features such as mailing
list integration, easy customization and simple installation make Phorum
a powerful add-in to any website.
Homepage: http://www.phorum.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
One thing is sure - Phorum 3.4.7 code is written professionally and traditional
security bugs here are very hard to find. But anyway, there exists potential sql \
injection case in Phorum code, which can lead to disclosure of the sensitive data \
from the database. Let's look at original code from the include/userlogin.php :
// checks the session for the currently logged in user
function phorum_check_session($admin_session='')
{
global $q, $DB, $PHORUM, $HTTP_COOKIE_VARS, $phorum_uriauth;
$phorum_uriauth=urldecode($phorum_uriauth);
if(!empty($admin_session)) {
list($user, $pass)=explode(":", $admin_session);
if(!get_magic_quotes_gpc()) $user=addslashes($user);
} elseif(isset($HTTP_COOKIE_VARS['phorum_cookieauth'])) {
// part for cookieauth
list($user, $pass)=explode(":", $HTTP_COOKIE_VARS['phorum_cookieauth']);
if(!get_magic_quotes_gpc()) $user=addslashes($user);
} elseif(isset($phorum_uriauth)) {
// part for uriauth
list($user, $second)=explode(":",$phorum_uriauth);
if(!empty($user) && empty($second))
list($user, $second)=explode("%3A",$phorum_uriauth);
$SQL="Select password,combined_token from ".$PHORUM['auth_table']." where \
username='$user'";
$q->query($DB, $SQL);
$r=$q->getrow();
...
As we can see, GET variable $phorum_uriauth will be urldecoded and if there is empty
$admin_session and not exists COOKIE variable $phorum_cookieauth, then (and only \
then) urldecoded $phorum_uriauth will be exploded to $user and $second. And next we \
will see, how $user is used in sql request WITHOUT addslashes()...
So what? "Magic quotes" is mainly enabled, therefore all seems to be secure.
But wait a second ... - if $phorum_uriauth initially contains something like "%2527", \
then after urldecode() operation it will be "'" (single quote), and magic quotes \
feature can't do anything against that! Nice example of the sql injection in CRITICAL \
sql query (I mean, this sql query handles sensitive data - user password and \
combined_token). What next? I was experimenting various methods to exploit this sql \
injection case and have found possibilities to use "half-blind" method to pull out \
from database any information.
First we must know the username of the "victim". Let's say, it's "waraxe" ;)
Before testing user must be logged out. Now, we make http request like this:
http://localhost/phorum347/list.php?f=1&phorum_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:foobar
And if the second char in the "waraxe's" password's md5 hash is "3", then we can see \
normal Phorum page, but with "Log out" link. If there is a link named "Log in", then \
we must make next tests. So we can probe user's password's md5 hash char-by-char and \
finally pull out full string from the database.
Good news for attacker (and bad news for admins) is, that there is no need for UNION \
functionality in mysql version, as usually in case of sophisticated sql injection \
exploits.
How about patch? It's simple - just add slashes:
$phorum_uriauth = addslashes(urldecode($phorum_uriauth));
By the way, i wrote exploit in perl to proof of concept. It can be found on URL:
http://www.waraxe.us/index.php?modname=saf&id=4
See ya!
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at http://bees.tk ! "Boom!!" ;)
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic