Personal Notes SQL Injection
Vendor: Oxpus
Product: Personal Notes
Version: <= 1.4.6
Website: http://www.oxpus.de/
BID: 13417
CVE: CVE-2005-1378
OSVDB: 15899
SECUNIA: 15154
Description:
oxpus.de author many popular modules and hacks for the amazingly popular phpBB software. One of these modules allows users to keep their own personal memo pad of sorts in the usercp. This particular mod comes standard with packages like orion_phpbb and others. This "notes" module is vulnerable to a serious SQL Injection vulnerability that will allow for an attacker to pull sensitive information from the underlying database, and possibly compromise the integrity of the affected phpBB installation.


SQL Injection:
There is a high risk SQL Injection issue in the phpBB notes module that allows for malicious users to pull sensitive data from the underlying database and possibly compromise the affected phpBB installation. Let's have a look at part of the vulnerable code.
if ( $mode == 'editpost' )
{
	$sql = "SELECT * FROM " . NOTES_TABLE . "
			WHERE post_id = ".$post_id."
			AND poster_id = " . $userdata['user_id'] . " ";
		if (!$result = $db->sql_query($sql))
		{
			message_die(GENERAL_ERROR, "Couldn't query notes table", '', __LINE__, __FILE__, $sql);
		}
		else
		{
			while( $row = $db->sql_fetchrow($result) )
			{
				$subject = $row['post_subject'];
				$bbcode_on = $row['bbcode'];
				$smilies_on = $row['smilies'];
				$acronym_on = $row['acronym'];
				$uid = $row['bbcode_uid'];
				$message = $row['post_text'];
				if ( $row['bbcode_uid'] != '' )
				{
					$message = preg_replace('/\:(([a-z0-9]:)?)' . $uid . '/s', '', $message);
				}
			}
		}
	$page_title = $lang['Edit_Post'];
}
As we can see from this code $post_id is not encapsulated in single quotes. This is appropriate as the expected data type is an integer, but the incoming data is never checked for arbitrary content. The below example can be used to pull a username from the database, but could just as easily be something less "benign".

http://localhost/posting_notes.php?mode=editpost&p=-99%20UNION%20SELECT%200,0, username,0,0,0,0,0,0%20FROM%20orionphpbb_users%20WHERE%20user_id=2/*

It should also be noted that other functions in the posting_notes.php file are vulnerable as well (i.e.: the delete function). On a side note I would like to send a reminder to ALL webmasters. Whenever you download a third party module from a website there is usually no guarantee or assurance that the code is safe. It is up to you to either have a professional view the code for you, or view it yourself at least before putting it in a place where the general public has access to it.


Solution:
I found this issue in Orion PhpBB, and contacted Sonny from cback.de. He was very helpful and prompt in his response, and has created a mod to help prevent these types of issues. The CrackerTracker mod is found here.

http://community.cback.de/printview.php?t=1724

I believe the new versions of orion phpBB have the fixed files, and if not oxpus.de should have a fix out soon as Sonny has contacted them :)


Credits:
James Bercegay of the GulfTech Security Research Team