-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ppp-design found the following mysql-injection-bug in phpGB: Details - ------- Product: phpGB Affected Version: 1.20 and maybe all versions before Immune Version: 1.40 OS affected: all OS with php Vendor-URL: http://www.walzl.net Vendor-Status: informed, new version avaiable Security-Risk: medium - high Remote-Exploit: Yes Introduction - ------------ phpGB ist a php/mysql based guestbook. Admin can change all settings within a php interface. Unfourtunately the author relies on php Magic-Quotes for adding slashes to some user input without mentioning this anywhere in the docs. Therefore it is possible to use an sql-injection-attack to log in as admin without having the correct password, when magic_quotes_gpc is not enabled. More details - ------------ If the affected webserver has not enabled php's magic_quotes_gpc in the php.ini, it is possible to login as administrator without needing any password. The affected page for the login is /admin/login.php. A possible blackhat is able to add new admins, delete or edit any guestbook entries and change any configuration including sql-server settings. Proof-of-concept - ---------------- Use an existend administrator name (default is admin here) and use the following password: "' OR 'a'='a" You will be authenticated if magic_quotes_gpc is not enabled. Temporary-fix - ------------- Enable magic_quotes_gpc in php.ini. Fix - --- phpGB 1.30 is not fixing this vulnerability correctly, so use phpGB 1.40. Security-Risk - ------------- There are not many servers affected, because Magic-Quotes are enabled per default when installing php. So we decided to rate the security risk medium-high. Vendor status - ------------- After we have informed the author he needed about 12 hours for a new version. Unfortunately he made a misstake and so only v1.40 which was released one week later fixes this vulnerability completely. - -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE9fEtADXh7YLO1RRoRAqCtAJoD6Fzuizqaf+mIubbbCkdAH09MRgCeInZf XOvAVxH/n2kQ0JXKBVyzf/c= =UTBJ -----END PGP SIGNATURE-----