[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7]
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2004-04-18 19:39:47
Message-ID: 20040418193947.26907.qmail () search ! securityfocus ! com
[Download RAW message or body]





{================================================================================}
{                              [waraxe-2004-SA#019]                              }
{================================================================================}
{                                                                                }
{                 [ Critical sql injection bug in Phorum 3.4.7 ]                 }
{                                                                                }
{================================================================================}
                                                                                      \
                
Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=19


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Phorum is a web based message board written in PHP. Phorum is designed with 
high-availability and visitor ease of use in mind. Features such as mailing
list integration, easy customization and simple installation make Phorum 
a powerful add-in to any website.


Homepage: http://www.phorum.org



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  One thing is sure - Phorum 3.4.7 code is written professionally and traditional
security bugs here are very hard to find. But anyway, there exists potential sql \
injection case in Phorum code, which can lead to disclosure of the sensitive data \
from the database.  Let's look at original code from the include/userlogin.php :


// checks the session for the currently logged in user
  function phorum_check_session($admin_session='')
  {
      global $q, $DB, $PHORUM, $HTTP_COOKIE_VARS, $phorum_uriauth;
	 
      $phorum_uriauth=urldecode($phorum_uriauth);
	  
      if(!empty($admin_session)) {
        list($user, $pass)=explode(":", $admin_session);

        if(!get_magic_quotes_gpc()) $user=addslashes($user);
      } elseif(isset($HTTP_COOKIE_VARS['phorum_cookieauth'])) {
        // part for cookieauth
      	list($user, $pass)=explode(":", $HTTP_COOKIE_VARS['phorum_cookieauth']);
      	if(!get_magic_quotes_gpc()) $user=addslashes($user);
      } elseif(isset($phorum_uriauth)) {
        // part for uriauth
        list($user, $second)=explode(":",$phorum_uriauth);

	if(!empty($user) && empty($second))
	    list($user, $second)=explode("%3A",$phorum_uriauth);
	    
	$SQL="Select password,combined_token from ".$PHORUM['auth_table']." where \
username='$user'";

      $q->query($DB, $SQL);	
      $r=$q->getrow();
      ...

As we can see, GET variable $phorum_uriauth will be urldecoded and if there is empty
$admin_session and not exists COOKIE variable $phorum_cookieauth, then (and only \
then) urldecoded $phorum_uriauth will be exploded to $user and $second. And next we \
will see, how $user is used in sql request WITHOUT addslashes()...
  So what? "Magic quotes" is mainly enabled, therefore all seems to be secure. 
But wait a second ... - if $phorum_uriauth initially contains something like "%2527", \
then after urldecode() operation it will be "'" (single quote), and magic quotes \
feature can't do anything against that! Nice example of the sql injection in CRITICAL \
sql query (I mean, this sql query handles sensitive data - user password and \
combined_token).  What next? I was experimenting various methods to exploit this sql \
injection case and have found possibilities to use "half-blind" method to pull out \
from database any information.

  First we must know the username of the "victim". Let's say, it's "waraxe" ;)
Before testing user must be logged out. Now, we make http request like this:

http://localhost/phorum347/list.php?f=1&phorum_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:foobar


And if the second char in the "waraxe's" password's md5 hash is "3", then we can see \
normal Phorum page, but with "Log out" link. If there is  a link named "Log in", then \
we must make next tests. So we can probe user's password's md5 hash char-by-char and \
finally pull out full string from the database.

Good news for attacker (and bad news for admins) is, that there is no need for UNION \
functionality in mysql version, as usually in case of sophisticated sql injection \
exploits.

How about patch? It's simple - just add slashes:

$phorum_uriauth = addslashes(urldecode($phorum_uriauth));


By the way, i wrote exploit in perl to proof of concept. It can be found on URL:

http://www.waraxe.us/index.php?modname=saf&id=4

See ya!



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at http://bees.tk ! "Boom!!" ;)


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic