7257605 2001-10-08 00:05 +0200 /54 rader/ Konrad Rieck <kr@roqe.org> Sänt av: joel@lysator.liu.se Importerad: 2001-10-09 07:10 av Brevbäraren Extern mottagare: Bugtrag Mailing List <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <19382> Ärende: phpBB 1.4.2, Remote user is able to modify SQL query. ------------------------------------------------------------ From: Konrad Rieck <kr@roqe.org> To: Bugtrag Mailing List <bugtraq@securityfocus.com> Message-ID: <20011008000528.A1503@roqe.org> Hi, there is a a potential security problem in the current version 1.4.2 and previous versions of phpBB (http://www.phpbb.com). A remote user is able to modify a string passed as a SQL query to the MySQL database. The problem exists in the file bb_memberlist.php. A string called $sortby is supplied through the URI and directly inserted into a SQL query string if it doesn't match the cases of the previous switch statement. [snip] switch($sortby) { case '': [...] case 'posts': [...] } $sql = "SELECT * FROM users WHERE [...] ORDER BY $sortby"; [snap] This is a typical example of bad coding practice, the obligate "default:" label has been forgotten/left out/whatever. You can easily verify this problem by testing: http://phpbb.sourceforge.net/phpBB/bb_memberlist.php?sortby=user_regdate As you can see the user lists is sorted by the registration date that is stored in the column user_regdate. This is not a feature it's a bug ;). I am not sure if this problem might be abused to insert, delete or update data inside the MySQL database. This part is up to the PHP hackers. I have sent two mails regarding this problem to the phpBB developers around the 12th of September and didn't get any reply. I think that all phpBB users should know about this problem and maybe add the missing "default:" statement themselves. Regards, Konrad -- Konrad Rieck <kr@roqe.org> Roqefellaz - http://www.roqe.org, Public Key http://www.roqe.org/keys/kr.pub -- Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 (7257605) /Konrad Rieck <kr@roqe.org>/----(Ombruten)