phpBB 1.4.2, Remote user is able to modify SQL query.

From:	 Konrad Rieck <kr@roqe.org>
To:	 Bugtrag Mailing List <bugtraq@securityfocus.com>
Subject: phpBB 1.4.2, Remote user is able to modify SQL query.
Date:	 Mon, 8 Oct 2001 00:05:28 +0200


Hi, 

there is a a potential security problem in the current version 1.4.2 and
previous versions of phpBB (http://www.phpbb.com). A remote user is able to
modify a string passed as a SQL query to the MySQL database.

The problem exists in the file bb_memberlist.php. A string called $sortby is
supplied through the URI and directly inserted into a SQL query string if it
doesn't match the cases of the previous switch statement.

[snip]

switch($sortby) {
   case '':  
      [...]
   case 'posts':
      [...]
}

$sql = "SELECT * FROM users WHERE [...] ORDER BY $sortby";

[snap]

This is a typical example of bad coding practice, the obligate "default:"
label has been forgotten/left out/whatever. 

You can easily verify this problem by testing:
http://phpbb.sourceforge.net/phpBB/bb_memberlist.php?sortby=user_regdate

As you can see the user lists is sorted by the registration date that
is stored in the column user_regdate. This is not a feature it's a bug ;).

I am not sure if this problem might be abused to insert, delete or update
data inside the MySQL database. This part is up to the PHP hackers. 

I have sent two mails regarding this problem to the phpBB developers around
the 12th of September and didn't get any reply. I think that all phpBB users
should know about this problem and maybe add the missing "default:"
statement themselves.

Regards,
Konrad

-- 
Konrad Rieck <kr@roqe.org>                    
Roqefellaz - http://www.roqe.org, Public Key http://www.roqe.org/keys/kr.pub
--           Fingerprint: 5803 E58E D1BF 9A29 AFCA  51B3 A725 EA18 ABA7 A6A3