Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[waraxe-2005-SA#043] - Sql injection in Phorum 5.0.20 and earlier

Date: Fri Nov 04 2005 - 13:44:41 CST

{ [waraxe-2005-SA#043] }
{ }
{ [ Sql injection in Phorum 5.0.20 and earlier ] }
{ }
Author: Janek Vind "waraxe"
Date: 04. November 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-43.html

Target software description:

Phorum 5.0.20

Homepage: http://phorum.org/

What is Phorum?
Phorum is a web based message board written in PHP.
Phorum is designed with high-availability and visitor ease
of use in mind. Features such as mailing list integration,
easy customization and simple installation make Phorum a
powerful add-in to any website.


Critical sql injection has been found in Phorum 5.0.0.alpha
to 5.0.20. Phorum 5.1.x branch (in alpha stage) seems to be unaffected.


Problem lies in uninitialized array "$forum_ids" in "search.php" file.
From source code:

----------------[ from source code ]------------------
$forum_ids[$row["forum_id"]] = $row["forum_id"];

        $forums = phorum_db_get_forums($forum_ids);

        foreach($arr["rows"] as $key => $row){
                $arr["rows"][$key]["forum_url"] =
phorum_get_url(PHORUM_LIST_URL, $row["forum_id"]);
                $arr["rows"][$key]["forum_name"] =
----------------[ /from source code ]-----------------

This can give as possibilities to "inject" arbitrary data to "$forum_ids"
array by GPC and next let's look at "phorum_db_get_forums()" function from
"include/db/mysql.php" :

----------------[ from source code ]------------------
    if (is_array($forum_ids)) $forum_ids = implode(",", $forum_ids);

    $sql = "select * from {$PHORUM['forums_table']} ";
    if ($forum_ids){
        $sql .= " where forum_id in ($forum_ids)";
    } elseif (func_num_args() > 1) {
        $sql .= " where parent_id = $parent_id";
        if(!defined("PHORUM_ADMIN")) $sql.=" and active=1";

    $sql .= " order by display_order ASC, name";

    $res = mysql_query($sql, $conn);
    if ($err = mysql_error()) phorum_db_mysql_error("$err: $sql");

----------------[ /from source code ]-----------------

So sql query manipulation seems to be possible. Now let's try this
in real world ...

[------ real life exploit ------]


There are some critical conditions for exploit to be successful.

1. "register_globals" must be "on", so we can poison php variable space
through GPC.

2. "search=a" - this search string must return one or more results.

3. "SELECT/**/1,password" - first number in sql injection, in our case "1",
must be "forum_id" for forum in search results.

4. sql table prefix "phorum_" can be different, but this will give nice sql error
messages and reveal real prefix.

5. Some Phorum versions seems to have different table structure for "phorum_users",
so again, there will be sql error messages. It's easy to overcome this kind of
problem by altering sql injection string as "trial/error".

[----- /real life exploit ------]

See ya and have a nice day ;)

Disclosure timeline:

01. november 2005 - vendor first contacted
01. november 2005 - vendor response
02. november 2005 - details emailed to vendor
03. november 2005 - vendor released new, patched version
04. november 2005 - public advisory released

How to fix:

Download new Phorum version 5.0.21 from:


More info: http://phorum.org/story.php?57


Greets to LINUX, Heintz, murdock, g0df4th3r, slimjim100, shai-tan,
y3dips and all other active members from waraxe community !

Tervitused - Raido Kerna !

Additional resources:

DX expedition database - http://www.dxdb.com/

Hard disc recovery - http://www.hdd911.com/


    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------