Hello bugtraq readers,
A vulnerability exists in phpBB 2.06 that could allow an attacker to manipulate SQL
queries and gain administrative control over the forum.
The search.php script of the application does not sufficiently sanitize the input of the
"search_id" parameter. As a result of this an attacker could manipulate the SQL
query the script performs and potentially extract information such as password
hashes from the database.
Impact
-----------
The impact depends on the database solution in use. When testing the bug with
MySQL 4 on Apache 2 with PHP4, I was able to obtain my board administrator MD5
password hash. Armed with this hash an attacker could modify his cookie accordingly
and log in as administrator without having to decode the hash. The attacker would
then have complete control over the board and could execute other SQL queries from
the admin panel.
Patch
-----------
I notified the the phpBB 2.06 developers and they have patched the script. phpBB
users should download the latest 2.06 version from http://www.phpbb.com
A way to manually fix the issue can be found here:
http://www.phpbb.com/phpBB/viewtopic.php?t=153818
A simple way to test if the bug is patched is:
http://your_site/phpBB2/search.php?search_id=1\
If patched, this should return the message "No topics or posts met your search
criteria". If unpatched you will get an SQL error (or just a general error if DEBUG
mode is off).
Cheers,
Niels Teusink
http://www.teusink.net
[建議]Dangerous , Patch Immediately
版主: 版主管理群
版面規則
本區是討論關於 phpBB 2.0.X 架設安裝上的問題,只要有安裝任何外掛,請到外掛討論相關版面按照公告格式發表。
(發表文章請按照公告格式發表,違者砍文)
本區是討論關於 phpBB 2.0.X 架設安裝上的問題,只要有安裝任何外掛,請到外掛討論相關版面按照公告格式發表。
(發表文章請按照公告格式發表,違者砍文)
Thank you for telling us
下面是給竹貓的朋友看的....
原文 :
給看不懂英文的人翻譯的修補方式.. =.=b
打開 search.php
找到\r
註一 : 這段應該在685行附近可以找到\r
將他取代為
存檔結束.....
204(我的)也有這個問題 , 等我打完球回來看204能不能用上面的方法修補再來跟大家報告....
下面是給竹貓的朋友看的....
原文 :
psoTFX 寫: We've been notified by Niels Teusink of a flaw in search.php. This, under the right circumstances with certain server versions be exploited to obtain password hashes. The chances of this being taken advantage of on wide scale are slim. However we recommend all existing users of phpBB 2.0.x make the (single line) change specified below.
We have now updated all archives (for 2.0.6) as made available on the download page here. Therefore all new installations and upgrades will be immune.
To fix this flaw please open search.php in any text editor. Find the following code (in the vanilla release of 2.0.6 this can be found around line 685):Replace it with the following:代碼: 選擇全部
if ( intval($search_id) ) { $sql = "SELECT search_array FROM " . SEARCH_TABLE . " WHERE search_id = $search_id AND session_id = '". $userdata['session_id'] . "'";Save and if necessary upload this copy to your webserver replacing your existing version代碼: 選擇全部
$search_id = intval($search_id); if ( $search_id ) { $sql = "SELECT search_array FROM " . SEARCH_TABLE . " WHERE search_id = $search_id AND session_id = '". $userdata['session_id'] . "'";
給看不懂英文的人翻譯的修補方式.. =.=b
打開 search.php
找到\r
代碼: 選擇全部
if ( intval($search_id) )
{
$sql = "SELECT search_array
FROM " . SEARCH_TABLE . "
WHERE search_id = $search_id
AND session_id = '". $userdata['session_id'] . "'";
將他取代為
代碼: 選擇全部
$search_id = intval($search_id);
if ( $search_id )
{
$sql = "SELECT search_array
FROM " . SEARCH_TABLE . "
WHERE search_id = $search_id
AND session_id = '". $userdata['session_id'] . "'";
204(我的)也有這個問題 , 等我打完球回來看204能不能用上面的方法修補再來跟大家報告....
可以...各位都去patch吧@@...
Patch 前:
Patch 後
Patch 前:
代碼: 選擇全部
Could not obtain search results
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\\\\\ AND session_id = '99fff31d13e80aa34fef3283f757fd28
SELECT search_array FROM phpbb_search_results WHERE search_id = 1\\\\\\\ AND session_id = '99fff31d13e80aa34fef3283f757fd28'
Line : 716
File : c:\appserv\www\letstalk\search.phpPatch 後
代碼: 選擇全部
沒有相關主題或文章符合您要搜尋的條件