Mass File Injection Attack?!?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: Mass File Injection Attack?!?

Post by drathbun » Wed May 14, 2008 1:48 pm

Code: Select all

select config_value from phpbb_config where config_name = 'sitename'
That query will return the string value stored in the config table for your board site name. However, if you use a browser app (like phpMyAdmin) to return the string then any javascript code is likely to be masked by the browser. I think. :) Anyway, if you use a command-line SQL parser you'll get the straight text.

If you only have phpMyAdmin then do this instead:

Code: Select all

select length(trim(config_value)) from phpbb_config where config_name = 'sitename'
That should return the length of the string stored for your site name. If it's longer than you expect (you should know what your sitename is) then you might have an issue.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Mass File Injection Attack?!?

Post by Techie-Micheal » Wed May 14, 2008 4:48 pm

Fortunately phpMyAdmin shows everything in that regard. :)
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: Mass File Injection Attack?!?

Post by drathbun » Wed May 14, 2008 6:44 pm

I didn't know how it would work, so I provided two options. :) I do everything via the mysql client so I don't know phpMyAdmin very well.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

kazmughal
Registered User
Posts: 335
Joined: Wed Mar 10, 2004 11:58 am

Re: Mass File Injection Attack?!?

Post by kazmughal » Thu May 15, 2008 5:48 pm

phpBB. Those were the days. :lol:

MySQL Injections

User avatar
Eelke
QA Team
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Mass File Injection Attack?!?

Post by Eelke » Fri May 16, 2008 6:40 am

Excuse me? Can you explain what you mean?

Locked

Return to “2.0.x Discussion”