{================================================================================} { [waraxe-2004-SA#019] } {================================================================================} { } { [ Critical sql injection bug in Phorum 3.4.7 ] } { } {================================================================================} Author: Janek Vind "waraxe" Date: 18. April 2004 Location: Estonia, Tartu Web: http://www.waraxe.us/index.php?modname=sa&id=19 Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phorum is a web based message board written in PHP. Phorum is designed with high-availability and visitor ease of use in mind. Features such as mailing list integration, easy customization and simple installation make Phorum a powerful add-in to any website. Homepage: http://www.phorum.org Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ One thing is sure - Phorum 3.4.7 code is written professionally and traditional security bugs here are very hard to find. But anyway, there exists potential sql injection case in Phorum code, which can lead to disclosure of the sensitive data from the database. Let's look at original code from the include/userlogin.php : // checks the session for the currently logged in user function phorum_check_session($admin_session='') { global $q, $DB, $PHORUM, $HTTP_COOKIE_VARS, $phorum_uriauth; $phorum_uriauth=urldecode($phorum_uriauth); if(!empty($admin_session)) { list($user, $pass)=explode(":", $admin_session); if(!get_magic_quotes_gpc()) $user=addslashes($user); } elseif(isset($HTTP_COOKIE_VARS['phorum_cookieauth'])) { // part for cookieauth list($user, $pass)=explode(":", $HTTP_COOKIE_VARS['phorum_cookieauth']); if(!get_magic_quotes_gpc()) $user=addslashes($user); } elseif(isset($phorum_uriauth)) { // part for uriauth list($user, $second)=explode(":",$phorum_uriauth); if(!empty($user) && empty($second)) list($user, $second)=explode("%3A",$phorum_uriauth); $SQL="Select password,combined_token from ".$PHORUM['auth_table']." where username='$user'"; $q->query($DB, $SQL); $r=$q->getrow(); ... As we can see, GET variable $phorum_uriauth will be urldecoded and if there is empty $admin_session and not exists COOKIE variable $phorum_cookieauth, then (and only then) urldecoded $phorum_uriauth will be exploded to $user and $second. And next we will see, how $user is used in sql request WITHOUT addslashes()... So what? "Magic quotes" is mainly enabled, therefore all seems to be secure. But wait a second ... - if $phorum_uriauth initially contains something like "%2527", then after urldecode() operation it will be "'" (single quote), and magic quotes feature can't do anything against that! Nice example of the sql injection in CRITICAL sql query (I mean, this sql query handles sensitive data - user password and combined_token). What next? I was experimenting various methods to exploit this sql injection case and have found possibilities to use "half-blind" method to pull out from database any information. First we must know the username of the "victim". Let's say, it's "waraxe" ;) Before testing user must be logged out. Now, we make http request like this: http://localhost/phorum347/list.php?f=1&phorum_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:foobar And if the second char in the "waraxe's" password's md5 hash is "3", then we can see normal Phorum page, but with "Log out" link. If there is a link named "Log in", then we must make next tests. So we can probe user's password's md5 hash char-by-char and finally pull out full string from the database. Good news for attacker (and bad news for admins) is, that there is no need for UNION functionality in mysql version, as usually in case of sophisticated sql injection exploits. How about patch? It's simple - just add slashes: $phorum_uriauth = addslashes(urldecode($phorum_uriauth)); By the way, i wrote exploit in perl to proof of concept. It can be found on URL: http://www.waraxe.us/index.php?modname=saf&id=4 See ya! Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused! Special greets to UT Bee Clan members at http://bees.tk ! "Boom!!" ;) Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Homepage: http://www.waraxe.us/ ---------------------------------- [ EOF ] ------------------------------------