Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-12983

UCP preferences, Display posts ordering by: input is not properly validated

XMLWordPrintable

      Hi,

      Register user is able to trigger a general error by supplying unvalidated data resulting in an invalid SQL query.

      First of all, I do understand the end result ( getting the admin email address ) is part of system, but I would like to advise against it.

      How to reproduce:

      UCP->Board preferences->Edit display options->Display posts ordering by
      Input is not properly validated, user can have the system to insert any single characters into the database. Example: 'x'

      After the user visit any topics a general error will be seen including admin password:

      General Error
      SQL ERROR [ mysqli ]

      You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ASC LIMIT 10' at line 7 [1064]

      An SQL error occurred while fetching this page. Please contact the Board Administrator if this problem persists.

      In viewtopics.php line 38 the previous unvalidated input used as $default_sort_key -> $sort_key and later on at line 971 :
      $sql_sort_order = $sort_by_sql[$sort_key] . ' ' . $direction

      As the 'x' array entry is nonexistent, the final sql query will be invalid:
      SELECT p.post_id FROM phpbb_posts p WHERE p.topic_id = 2 AND p.post_approved = 1 ORDER BY ASC.

      The issue might be seen as a simple functional bug, but I strongly believe getting the admin email gives a huge advantage for the attacker.

      Regards,
      Marcell

            nickvergessen Joas Schilling
            fodor fodor [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: