Thursday, 26 July 2012

[EN] phpBB3 SQL Injection - updated (31.07)

Hello :)

After a little break and multiple tasks to do, few minutes ago I found one surprise
in latest phpBB3.

This is 'so called' sql-information-leak via parameter manipulation (related to SQL).

I will not public full information today, because maybe some of You want to test Your installations before.

If so - let me know. Maybe I should help with full webapp pentest.

* updated 10:11 *
- Found second vulnerable parameter :)

* updated 28.07 *
- another two parameters are vulnerable

* updated 31.08 *
 Detailed story once again at PacketStorm.

Cheers ;) o/


  1. write me mishan[at]
    very interested

  2. write me please giorgio1937[at]hotmail[dot]it
    very very interested

  3. SQL errors are only displayed to board administrators or when phpBB is in debug mode. Please double check your findings with a regular user account.

  4. First: big thanks for reading my blog (and writing comments)! :)

    Second, ad. this 'sql injection' - this is true, that
    we can not inject here statements.
    By sendint to phpBB3 'wrong' value for parameter(s), we can get an error directly from SQL. That's why I called it 'sql injection'.

    Anyway, source code audit is not finished for this webapp, so post will be updated. (If You want more information, send me an email, and we can talk privately).

    Once again, thanks for reading, and best regards! ;]

  5. By the way: here you have this bug described as a 'sql error':

    enjoy! o/


What do You think...?