Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 71681 - www-apps/phpBB 2.0.x sql injection + arbitrary code execution
Summary: www-apps/phpBB 2.0.x sql injection + arbitrary code execution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: x86 Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
: 71814 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-11-18 09:15 UTC by JG
Modified: 2004-12-29 07:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description JG 2004-11-18 09:15:50 UTC
here's the original posting from bugtraq:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0411/152.html

quote:
"SQL Injection, allowing people to minipulate the query into pulling data they should not previously be able too obtain. (Such as passwords)
Arbituary EXEC allows you, if you can get on to a new line, to execute your own PHP, which can be fatal."

that's the response of the phpbb-team on their msg-board:
http://www.phpbb.com/phpBB/viewtopic.php?t=240513


Reproducible: Always
Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-11-18 14:08:38 UTC
Should we issue the GLSA as critical fix as-is ? Or wait for upstream ?
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-18 22:07:35 UTC
We have a simple workaround and no ETA of a fixed version with new features, so we could issue a temp GLSA.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-11-19 01:20:58 UTC
The exact nature of the vulnerability is not currently known :
- howdark posts confusing SQLinjection+PHPexec claims in highlighting code
- Phpbb denies it can be exploited
- Phpbb recieves more information from unnamed third-party
- Phpbb posts fix without telling what the real impact is. Obviously there is some SQL injection possible, but PHP exec is not confirmed... afaict

I don't think we should rush that out without more information. Maybe a forum post is better than a GLSA in absence of more information.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-11-19 05:57:38 UTC
2.0.11 is out, critical fix in
web-apps, please package this asap :)
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-19 23:58:16 UTC
*** Bug 71814 has been marked as a duplicate of this bug. ***
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-11-21 14:04:31 UTC
Ccing tigger for a fix
Comment 7 rob holland (RETIRED) gentoo-dev 2004-11-21 14:52:52 UTC
.11 is now in portage ~*
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-11-22 00:40:19 UTC
ppc, please mark .11 stable :)
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-22 01:48:15 UTC
Thx rob.

ppc please test and mark stable ASAP
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-11-23 09:05:27 UTC
Following post of the exploit, impact is much more clear. This is a remote exec alright, and it's quite easy to use.

This should really be sent ASAP. If ppc cannot mark stable, I think we'll issue the GLSA without waiting.
Comment 11 Jochen Maes (RETIRED) gentoo-dev 2004-11-24 00:41:01 UTC
kurt seems to have added it to cvs...

we didn't do additional tests as we assume kurt did them(?)

conclusion stable on ppc, responsable= kurt lieber
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-24 01:06:42 UTC
GLSA 200411-32
Comment 13 Jakub Moc (RETIRED) gentoo-dev 2004-12-29 06:58:21 UTC
Is it really fixed?!

http://www.securityfocus.com/bid/11672/discussion/
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-12-29 07:45:02 UTC
Three flaws can be exploited :

- The highlight flaw (fixed in PHPBB 2.0.11) [ Santy.Worm ]
- The unserialize flaw (fixed in PHP 4.3.10) [ no worm yet ? ]
- Programming errors in your own PHP scripts (heh... no fix) [ PhpInclude.Worm ]

People with PHPBB 2.0.11 can still get infected by the other two.