logo

Web

   Webdesign
   Webhosting
   Referenzen
   Kontakt

Security

   Aktuelle Meldungen
   Advisories
   Firewall
   Emailgateway

Consulting

   Beratung

Hinweise
   Aktuelle Meldungen    Advisories    Firewall    Emailgateway

ppp-design has found a mysql-injection-bug in pforum:


Details

Product: pforum
Version: 1.14 and maybe all versions before
OS affected: all OS with php and mysql
Vendor-URL: www.powie.de
Vendor-Status: informed, workaround available
Security-Risk: Medium-High
Remote-Exploit: Yes


Introduction

pforum is a www-board system using php and mysql. Although the author seems to try to eliminate malicious code (eg. unwanted html-code) in the inputs, he relies on php Magic-Quotes for adding slashes to some user input. Therefore it is possible to use an sql-injection-attack to log in as admin or user without having the correct password.


More details

If the affected webserver has not enabled php's magic_quotes_gpc in the php.ini, it is possible to login as any user, admin or moderator. So you can eg. delete even complete boards. Because the admin of the board may have no access to php.ini of the webserver, he maybe cannot fix the bug easily on his own. Not only the login page is affected, the changepassword form (and maybe some other forms) are suffering the same sql-injection bug, too.


Proof-of-concept

Without having Magic-Quoted enabled, just login with the username
"admin' OR username='admin".
If the user admin is an existing user, you are logged in without the propper pass. If the user admin is an administrator, you have all administrator privileges on the board.

The same concept works for the changing password form. In case you have forgotten your password you get a id via mail to your registered emailaddress, so you can change your password to a new one. Here you have to use changepass.php and enter your id like
"123' or 'a'='a"
to change your password to any desired one.


Temporary-fix

Enable magic_quotes_gpc in your php.ini.


Security-Risk

There are not many servers affected, because Magic-Quotes are enabled per default when installing php. So we decided to rate the security risk medium-high.


Vendor

The vendor reacted very quickly. With some assistance, he needed about 24 hours for a patch. Although he hasn't made this patch until now, he has published the bug on his homepage and recomments our temporary fix (enabling magic_quotes_gpc) until the new version is released.
Because he made the bug allready public, there is no need for us to wait with the publication.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.