The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PHP ip2long() Function Circumvention (miniBB)
------------------------------------------------------------------------
SUMMARY
<http://www.minibb.net/> miniBB is "a mini bulletin board, free forum
software, original PHP message board script, you can build online
community on". A vulnerability in the way PHP's ip2long() function works
allows attackers to utilize the IP address provided to miniBB's security
checks, and cause an SQL injection in the product, even though the SQL
code is not a valid IP address.
DETAILS
Vulnerable Systems:
* PHP version 5.1.4
* PHP version 5.0.2
* PHP version 4.3.3
After some testing on miniBB application rgod obtained that the PHP
ip2long() function can be tricked to return a valid IPv4 Internet network
address instead of "-1" even if the ip address argument is not a valid
one, through the injection of some chars, ex:
<?php
for ($i=0; $i<=255; $i++)
{
echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n";
}
?>
when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or
chr(32) it gives the following (valid) result:
16843009
In minibb case this could result in sql injection, forging an header like
this:
X-FORWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE]
Or even like this:
X-FORWARDED-FOR: 1[CHR(9)]'[SQL CODE]
However miniBB limits the string to 15 characters so you will have a
useless twelve characters SQL injection, also remember that HTTP headers
is not filtered by PHP magic_quotes_gpc, so this could give an attacker
the way to fully compromise an application
Vulnerable code index.php, 248-264:
/* Banned IPs/IDs stuff */
$thisIp=getIP(); <--------------------- here $thisIp
becomes our sql code
$cen=explode('.', $thisIp);
if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){
$thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+';
$thisIpMask[1]=$cen[0].'.'.$cen[1].'.+';
}
else {
$thisIpMask[0]='0.0.0.+';
$thisIpMask[1]='0.0.0.+';
}
if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<----------- $thisIp is
passed to the db_ipCheck() function
$title=$sitename." :: ".$l_accessDenied;
echo ParseTpl(makeUp('main_access_denied')); exit;
}
bb_functions.php, near lines 123-131
//--------------->
function getIP(){
$ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FORWARDED_FOR');
if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1;
//<-- vulnerable code
$finalIP=substr($finalIP,0,15);
return $finalIP;
}
//--------------->
Vulnerable code in setup_mysql.php, near lines 99-105:
function db_ipCheck($thisIp,$thisIpMask,$user_id){
$res=mysql_query('select id from '.$GLOBALS['Tb'].' where
banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<---
sql injection
banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'");
echo mysql_error();
if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE;
}
ADDITIONAL INFORMATION
The information has been provided by rgod.
The original article can be found at:
<http://retrogod.altervista.org/php_ip2long.html>
http://retrogod.altervista.org/php_ip2long.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
