-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I. BACKGROUND phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. II. DESCRIPTION The phpbb_clean_username function has an improper order of execution allowing path and SQL table disclosure. The substr function should be called before extra backslash (\) characters are stripped from the string to force valid SQL requests. If it is not stripped after the substr command, it is possible to remove the second backslash character in a previously addslashes string (\). The following code around line 80 in includes\functions.php is the problem: $username = htmlspecialchars(rtrim(trim($username), "\\")); $username = substr(str_replace("\\'", "'", $username), 0, 25); $username = str_replace("'", "\\'", $username); This is a trivial error, not very worrying. In some configurations this could possibly be used for either cross site scripting or SQL injection, however it does not appear that phpBB v2.0.11 is vulnerable to these attacks. The following actions are susceptible to this attack: Login Password reminder Add a member to a group Post by a user who is not logged in Search by username Search for username Send private message View users profile To attack any of these actions, attempt to submit the username "ABCDEFGHIJKLMNOPQRSTUVWX\YZ" (Note \ character, there must be trailing characters after that character) III. FIX To alleviate this issue, the code around line 80 of includes\functions.php should be changed as follows: $username = substr(htmlspecialchars(str_replace("\\'", "'", trim($username))), 0, 25); $username = rtrim($username, "\\"); $username = str_replace("'", "\\'", $username); An upgrade to phpBB v2.0.12 includes this fix. III. ANALYSIS This report was created based on phpBB v2.0.11. It was discovered on 12/30/04. It was also independently discovered by kaosone+[ONE]+ on 2/19/04, and posted to the bugtraq mailing list. AnthraX101 -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQhq/Aw4h295M1tC9EQJW2wCgh8jhb97Vc4ZlUkzm/i5VtEiBQ1QAoKuH UMHOhx0R9jRTU58YO5Oq91C5 =192I -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html