logo

Web

   Webdesign
   Webhosting
   Referenzen
   Kontakt

Security

   Aktuelle Meldungen
   Advisories
   Firewall
   Emailgateway

Consulting

   Beratung

Hinweise
   Aktuelle Meldungen    Advisories    Firewall    Emailgateway

ppp-design found the following mysql-injection-bug in phpGB:


Details

Product: phpGB
Affected Version: 1.20 and maybe all versions before
Immune Version: 1.40
OS affected: all OS with php
Vendor-URL: http://www.walzl.net
Vendor-Status: informed, new version avaiable
Security-Risk: medium - high
Remote-Exploit: Yes


Introduction

phpGB is a php/mysql based guestbook. Admin can change all settings within a php interface. Unfourtunately the author relies on php Magic-Quotes for adding slashes to some user input without mentioning this anywhere in the docs. Therefore it is possible to use an sql-injection-attack to log in as admin without having the correct password, when magic_quotes_gpc is not enabled.


More details

If the affected webserver has not enabled php's magic_quotes_gpc in the php.ini, it is possible to login as administrator without needing any password. The affected page for the login is /admin/login.php. A possible blackhat is able to add new admins, delete or edit any guestbook entries and change any configuration including sql-server settings.


Proof-of-concept

Use an existend administrator name (default is admin here) and use the following password:
"' OR 'a'='a"
You will be authenticated if magic_quotes_gpc is not enabled.


Temporary-fix

Enable magic_quotes_gpc in php.ini.


Fix

phpGB 1.30 is not fixing this vulnerability correctly, so use phpGB 1.40.


Security-Risk

There are not many servers affected, because Magic-Quotes are enabled per default when installing php. So we decided to rate the security risk medium-high.


Vendor status

After we have informed the author he needed about 12 hours for a new version. Unfortunately he made a misstake and so only v1.40 which was released one week later fixes this vulnerability completely.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.