##########################################################
# GulfTech Security Research             April 27th, 2005
##########################################################
# Vendor  : Oxpus
# URL     : http://www.oxpus.de/
# Version : All Versions
# Risk    : SQL Injection Vulnerability
##########################################################

Description:
oxpus.de author many popular modules and hacks for the amazingly
popular phpBB software. One of these modules allows users to keep
their own personal memo pad of sorts in the usercp. This particular
mod comes standard with packages like orion_phpbb and others. This
"notes" module is vulnerable to a serious SQL Injection vulnerability
that will allow for an attacker to pull sensitive information from
the underlying database, and possibly compromise the integrity of
the affected phpBB installation.



SQL Injection:
There is a high risk SQL Injection issue in the phpBB notes module
that allows for malicious users to pull sensitive data from the
underlying database and possibly compromise the affected phpBB
installation. Let's have a look at part of the vulnerable code.

if ( $mode == 'editpost' )
{
    $sql = "SELECT * FROM " . NOTES_TABLE . "
            WHERE post_id = ".$post_id."
            AND poster_id = " . $userdata['user_id'] . " ";
        if (!$result = $db->sql_query($sql))
        {
            message_die(GENERAL_ERROR, "Couldn't query notes table", '', 
__LINE__, __FILE__, $sql);
        }
        else
        {
            while( $row = $db->sql_fetchrow($result) )
            {
                $subject = $row['post_subject'];
                $bbcode_on = $row['bbcode'];
                $smilies_on = $row['smilies'];
                $acronym_on = $row['acronym'];
                $uid = $row['bbcode_uid'];
                $message = $row['post_text'];
                if ( $row['bbcode_uid'] != '' )
                {
                    $message = preg_replace('/\:(([a-z0-9]:)?)' . $uid . 
'/s', '', $message);
                }
            }
        }
    $page_title = $lang['Edit_Post'];
}

As we can see from this code $post_id is not encapsulated in single quotes.
This is appropriate as the expected data type is an integer, but the
incoming data is never checked for arbitrary content. The below example
can be used to pull a username from the database, but could just as easily
be something less "benign".

http://localhost/posting_notes.php?mode=editpost&p=-99%20UNION%20SELECT%200,0,username,0,0,0,0,0,0%20FROM%20orionphpbb_users%20WHERE%20user_id=2/*

It should also be noted that other functions in the posting_notes.php
file are vulnerable as well (i.e.: the delete function). On a side note
I would like to send a reminder to ALL webmasters. Whenever you download a
third party module from a website there is usually no guarantee or assurance
that the code is safe. It is up to you to either have a professional view
the code for you, or view it yourself at least before putting it in a place
where the general public has access to it.



Solution:
I found this issue in Orion PhpBB, and contacted Sonny from cback.de. He
was very helpful and prompt in his response, and has created a mod to
help prevent these types of issues. The CrackerTracker mod is found here.

http://community.cback.de/printview.php?t=1724

I believe the new versions of orion phpBB have the fixed files, and if not
oxpus.de should have a fix out soon as Sonny has contacted them :)



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00070-04272005



Credits:
James Bercegay of the GulfTech Security Research Team