7257605 2001-10-08 00:05 +0200  /54 rader/ Konrad Rieck <kr@roqe.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-10-09  07:10  av Brevbäraren
Extern mottagare: Bugtrag Mailing List <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <19382>
Ärende: phpBB 1.4.2, Remote user is able to modify SQL query.
------------------------------------------------------------
From: Konrad Rieck <kr@roqe.org>
To: Bugtrag Mailing List <bugtraq@securityfocus.com>
Message-ID: <20011008000528.A1503@roqe.org>


Hi, 

there is a a potential security problem in the current version 1.4.2
and previous versions of phpBB (http://www.phpbb.com). A remote user
is able to modify a string passed as a SQL query to the MySQL
database.

The problem exists in the file bb_memberlist.php. A string called
$sortby is supplied through the URI and directly inserted into a SQL
query string if it doesn't match the cases of the previous switch
statement.

[snip]

switch($sortby) {
   case '':  
      [...]
   case 'posts':
      [...]
}

$sql = "SELECT * FROM users WHERE [...] ORDER BY $sortby";

[snap]

This is a typical example of bad coding practice, the obligate
"default:" label has been forgotten/left out/whatever.

You can easily verify this problem by testing:
http://phpbb.sourceforge.net/phpBB/bb_memberlist.php?sortby=user_regdate

As you can see the user lists is sorted by the registration date that
is stored in the column user_regdate. This is not a feature it's a
bug ;).

I am not sure if this problem might be abused to insert, delete or
update data inside the MySQL database. This part is up to the PHP
hackers.

I have sent two mails regarding this problem to the phpBB developers
around the 12th of September and didn't get any reply. I think that
all phpBB users should know about this problem and maybe add the
missing "default:" statement themselves.

Regards,
Konrad

--  Konrad Rieck <kr@roqe.org>                     Roqefellaz -
http://www.roqe.org, Public Key http://www.roqe.org/keys/kr.pub
--           Fingerprint: 5803 E58E D1BF 9A29 AFCA  51B3 A725 EA18 ABA7 A6A3
(7257605) /Konrad Rieck <kr@roqe.org>/----(Ombruten)