Two php forums: SQL Injection Vulnerability and Test Methods

1. phpBB Remote Arbitrary SQL Injection Vulnerability

Affected Systems:

PhpBB Group phpBB 2.0.9
PhpBB Group phpBB 2.0.8
PhpBB Group phpBB 2.0.8
PhpBB Group phpBB 2.0.7
PhpBB Group phpBB 2.0.6 d
PhpBB Group phpBB 2.0.6 c
PhpBB Group phpBB 2.0.6
PhpBB Group phpBB 2.0.5
PhpBB Group phpBB 2.0.4
PhpBB Group phpBB 2.0.3
PhpBB Group phpBB 2.0.2
PhpBB Group phpBB 2.0.10
PhpBB Group phpBB 2.0.1
PhpBB Group phpBB 2.0
Description:

--------------------------------------------------------------------------------

PhpBB is a WEB forum application compiled by PHP. It supports multiple database systems and can be used in multiple Unix and Linux operating systems.

PhpBB does not properly filter user submitted data. Remote attackers can exploit this vulnerability to launch SQL injection attacks, which may obtain sensitive information or change the database.

Because the url Decoding of phpBB converts % 2527 to % 27 (single quotes) without an append number, there is an SQL injection problem, which can lead to execution of arbitrary database commands, sensitive information may be exposed or changed.

<* Source: jessica soules (admin@howdark.com)

Link: http://marc.theaimsgroup.com /? L = bugtraq & m = 110029415208724 & w = 2
*>

Test method:

--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Jessica soules (admin@howdark.com) provides the following test methods:

Submit a request similar to the following:

Viewtopic. php? T = 1 & highlight = % 2527

The following error message is displayed:

Parse error: parse error, unexpected T_STRING in viewtopic. php (1109): regexp code on
Line 1

Fatal error: Failed evaluating code: preg_replace (# () # I, 1,> POST TEXT
HERE <) in viewtopic. php on line 1109

Suggestion:

--------------------------------------------------------------------------------

Vendor patch:

PhpBB Group
-----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.phpbb.com/

2. phpBT bug. php SQL Injection Vulnerability

Affected Systems:

PhpBugTracker 0.9.1
Description:

--------------------------------------------------------------------------------

PHP Bug Traq is a PHP-based vulnerability tracking system.

PHP Bug Traq bug. php does not properly filter URL data submitted by users. Remote attackers can exploit this vulnerability to obtain sensitive information or change the database system.

Bug. php does not properly filter the data that the user submits to the bugid, and submits data that contains malicious SQL commands or malicious HTML code as parameter data, which can change the original database logic, obtain sensitive information or change the database system.

In addition, the bug. php does not fully filter project variable data, which exists in the similar vulnerability described above.

<* Source: jessica soules (admin@howdark.com)

Link: http://marc.theaimsgroup.com /? L = bugtraq & m = 110029315521568 & w = 2
Http://marc.theaimsgroup.com /? L = bugtraq & m = 110037408101974 & w = 2
*>

Test method:

--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Jessica soules (admin@howdark.com) provides the following test methods:

Http://www.phpbb.com/bugs/bug.php? Op = viewvotes & bugid = 1 union select 1, user_password, 3
Where user_id = 2 /*

Bug. php? Op = add & project = 0% 20 union % 20 select % 201

Suggestion:

--------------------------------------------------------------------------------

Vendor patch:

PhpBugTracker
-------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://phpbt.sourceforge.net/