phpbb Private Messages not so private

[slarty]

Dear All,

I was doing some research into the exact nature of the "search.php" vulnerability in phpbb 2.0.6. The web site suggests that md5 hashed passwords can be obtained. This is true, but it is not the limit of what can be done.

I have adequately demonstrated that it is fairly easy to read any users "private" messages using this vulnerability. Potentially any other information can also be gained (including taking people's email addresses etc).

The details are here

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=153818

But this page plays down the seriousness of this vulnerability.

The chances of this being taken advantage of on wide scale are slim

I find this unlikely. There are a lot of installations of phpbb, and I believe that a large proportion of them are still vulnerable.

My advice is:
phpbb admins / moderators - ensure the system is properly patched, and change all passwords
phpbb users - get the board admin to patch the system, and ensure that no data has ever been sent in PMs that could be sensitive - if so, take steps to ensure it's not longer useful to an attacker (f.e. change passwords)
everyone - use strong passwords. The md5 hashes are much better than storing the passwords plaintext, but ONLY if you use strong passwords.

This case only shows how serious even a single minor flaw in a SQL-based web app is. In this case, a single, rather awkward SQL injection is possible, with the results being post-processed in a very obscure fashion - nevertheless, it is possible with some creative thinking to gain read access to just about everything anyway.

Slarty

[XoN-ASSIM]

Uhm... THANX! Seriously (helped me in ways I cant discloes > )... Good post man.

[SDK]

Thank also! I patch my server yesterday night!