|Summary:||www-apps/phpBB 2.0.x sql injection + arbitrary code execution|
|Product:||Gentoo Security||Reporter:||JG <jg>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||critical||CC:||chris, tigger, web-apps|
|Package list:||Runtime testing required:||---|
Description JG 2004-11-18 09:15:50 UTC
here's the original posting from bugtraq: http://msgs.securepoint.com/cgi-bin/get/bugtraq0411/152.html quote: "SQL Injection, allowing people to minipulate the query into pulling data they should not previously be able too obtain. (Such as passwords) Arbituary EXEC allows you, if you can get on to a new line, to execute your own PHP, which can be fatal." that's the response of the phpbb-team on their msg-board: http://www.phpbb.com/phpBB/viewtopic.php?t=240513 Reproducible: Always Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) 2004-11-18 14:08:38 UTC
Should we issue the GLSA as critical fix as-is ? Or wait for upstream ?
Comment 2 Sune Kloppenborg Jeppesen 2004-11-18 22:07:35 UTC
We have a simple workaround and no ETA of a fixed version with new features, so we could issue a temp GLSA.
Comment 3 Thierry Carrez (RETIRED) 2004-11-19 01:20:58 UTC
The exact nature of the vulnerability is not currently known : - howdark posts confusing SQLinjection+PHPexec claims in highlighting code - Phpbb denies it can be exploited - Phpbb recieves more information from unnamed third-party - Phpbb posts fix without telling what the real impact is. Obviously there is some SQL injection possible, but PHP exec is not confirmed... afaict I don't think we should rush that out without more information. Maybe a forum post is better than a GLSA in absence of more information.
Comment 4 Thierry Carrez (RETIRED) 2004-11-19 05:57:38 UTC
2.0.11 is out, critical fix in web-apps, please package this asap :)
Comment 5 Sune Kloppenborg Jeppesen 2004-11-19 23:58:16 UTC
*** Bug 71814 has been marked as a duplicate of this bug. ***
Comment 6 Thierry Carrez (RETIRED) 2004-11-21 14:04:31 UTC
Ccing tigger for a fix
Comment 7 rob holland (RETIRED) 2004-11-21 14:52:52 UTC
.11 is now in portage ~*
Comment 8 Thierry Carrez (RETIRED) 2004-11-22 00:40:19 UTC
ppc, please mark .11 stable :)
Comment 9 Sune Kloppenborg Jeppesen 2004-11-22 01:48:15 UTC
Thx rob. ppc please test and mark stable ASAP
Comment 10 Thierry Carrez (RETIRED) 2004-11-23 09:05:27 UTC
Following post of the exploit, impact is much more clear. This is a remote exec alright, and it's quite easy to use. This should really be sent ASAP. If ppc cannot mark stable, I think we'll issue the GLSA without waiting.
Comment 11 Jochen Maes (RETIRED) 2004-11-24 00:41:01 UTC
kurt seems to have added it to cvs... we didn't do additional tests as we assume kurt did them(?) conclusion stable on ppc, responsable= kurt lieber
Comment 12 Sune Kloppenborg Jeppesen 2004-11-24 01:06:42 UTC
Comment 13 Jakub Moc (RETIRED) 2004-12-29 06:58:21 UTC
Is it really fixed?! http://www.securityfocus.com/bid/11672/discussion/
Comment 14 Thierry Carrez (RETIRED) 2004-12-29 07:45:02 UTC
Three flaws can be exploited : - The highlight flaw (fixed in PHPBB 2.0.11) [ Santy.Worm ] - The unserialize flaw (fixed in PHP 4.3.10) [ no worm yet ? ] - Programming errors in your own PHP scripts (heh... no fix) [ PhpInclude.Worm ] People with PHPBB 2.0.11 can still get infected by the other two.