Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » mysql-injection-bug in phpGB

mysql-injection-bug in phpGB

by Nikola Strahija on September 9th, 2002 phpGB ist a php/mysql based guestbook. Admin can change all settings within a php interface. Unfourtunately the author relies on php Magic-Quotes for adding slashes to some user input without mentioning this anywhere in the docs. Therefore it is possible to use an sql-injection-attack to log in as admin without having the correct password, when magic_quotes_gpc is not enabled.


More details
- ------------
If the affected webserver has not enabled php's magic_quotes_gpc in
the php.ini, it is possible to login as administrator without needing
any password. The affected page for the login is /admin/login.php. A
possible blackhat is able to add new admins, delete or edit any
guestbook entries and change any configuration including sql-server
settings.


Proof-of-concept
- ----------------
Use an existend administrator name (default is admin here) and use the
following password:
"' OR 'a'='a"
You will be authenticated if magic_quotes_gpc is not enabled.


Temporary-fix
- -------------
Enable magic_quotes_gpc in php.ini.


Fix
- ---
phpGB 1.30 is not fixing this vulnerability correctly, so use phpGB 1.40.


Security-Risk
- -------------
There are not many servers affected, because Magic-Quotes are enabled
per default when installing php. So we decided to rate the security
risk medium-high.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »