Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 28, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 617
Members: 0
Total: 617
PacketStorm News
·301 Moved Permanently

read more...
[waraxe-2004-SA#019] - Critical sql injection bug in Phorum 3.4.7





Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=19


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Phorum is a web based message board written in PHP. Phorum is designed with
high-availability and visitor ease of use in mind. Features such as mailing
list integration, easy customization and simple installation make Phorum
a powerful add-in to any website.


Homepage: http://www.phorum.org



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

One thing is sure - Phorum 3.4.7 code is written professionally and traditional
security bugs here are very hard to find. But anyway, there exists potential sql injection
case in Phorum code, which can lead to disclosure of the sensitive data from the database.
Let's look at original code from the include/userlogin.php :


// checks the session for the currently logged in user
function phorum_check_session($admin_session='')
{
global $q, $DB, $PHORUM, $HTTP_COOKIE_VARS, $phorum_uriauth;

$phorum_uriauth=urldecode($phorum_uriauth);

if(!empty($admin_session)) {
list($user, $pass)=explode(":", $admin_session);

if(!get_magic_quotes_gpc()) $user=addslashes($user);
} elseif(isset($HTTP_COOKIE_VARS['phorum_cookieauth'])) {
// part for cookieauth
list($user, $pass)=explode(":", $HTTP_COOKIE_VARS['phorum_cookieauth']);
if(!get_magic_quotes_gpc()) $user=addslashes($user);
} elseif(isset($phorum_uriauth)) {
// part for uriauth
list($user, $second)=explode(":",$phorum_uriauth);

if(!empty($user) && empty($second))
list($user, $second)=explode("%3A",$phorum_uriauth);

$SQL="Select password,combined_token from ".$PHORUM['auth_table']." where username='$user'";

$q->query($DB, $SQL);
$r=$q->getrow();
...

As we can see, GET variable $phorum_uriauth will be urldecoded and if there is empty
$admin_session and not exists COOKIE variable $phorum_cookieauth, then (and only then)
urldecoded $phorum_uriauth will be exploded to $user and $second. And next we will see,
how $user is used in sql request WITHOUT addslashes()...
So what? "Magic quotes" is mainly enabled, therefore all seems to be secure.
But wait a second ... - if $phorum_uriauth initially contains something like "%2527", then
after urldecode() operation it will be "'" (single quote), and magic quotes feature can't
do anything against that! Nice example of the sql injection in CRITICAL sql query (I mean,
this sql query handles sensitive data - user password and combined_token).
What next? I was experimenting various methods to exploit this sql injection case and
have found possibilities to use "half-blind" method to pull out from database any information.

First we must know the username of the "victim". Let's say, it's "waraxe" ;)
Before testing user must be logged out. Now, we make http request like this:

http://localhost/phorum347/list.php?f=1&phorum_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:foobar

And if the second char in the "waraxe's" password's md5 hash is "3", then we can see normal Phorum page,
but with "Log out" link. If there is a link named "Log in", then we must make next tests. So we can
probe user's password's md5 hash char-by-char and finally pull out full string from the database.

Good news for attacker (and bad news for admins) is, that there is no need for UNION functionality
in mysql version, as usually in case of sophisticated sql injection exploits.

How about patch? It's simple - just add slashes:

$phorum_uriauth = addslashes(urldecode($phorum_uriauth));


By the way, i wrote exploit in perl to proof of concept. It can be found on URL:

http://www.waraxe.us/index.php?modname=saf&id=4

See ya!



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at http://bees.tk ! "Boom!!" ;)


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2005-01-06 (16942 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
SecurityFocus
Currently there is a problem with headlines from this site
alexa



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.159 Seconds