SQL injection vulnerability in read.php3 and other scripts in Phorum 3.0.7 allows remote attackers to execute arbitrary SQL queries via the sSQL parameter.
Phorum 3.0.7 is vulnerable to a critical SQL injection flaw, allowing attackers to execute arbitrary SQL commands. This vulnerability, exploitable through the sSQL parameter in read.php3 and other scripts, can lead to complete compromise of the database and potentially the underlying server, enabling data theft and system takeover.
Step 1: Payload Delivery: The attacker crafts a malicious SQL query and encodes it as the value of the sSQL parameter. This parameter is typically passed via a GET request to read.php3 or another vulnerable script.
Step 2: Request Submission: The attacker submits the crafted request to the vulnerable Phorum instance.
Step 3: Query Construction: The vulnerable script, without proper sanitization, directly incorporates the attacker-supplied sSQL value into a SQL query.
Step 4: Query Execution: The database server executes the maliciously crafted SQL query.
Step 5: Data Exfiltration/System Compromise: Based on the injected SQL commands, the attacker can then retrieve sensitive data (e.g., usernames, passwords, forum posts), modify database contents, or potentially gain remote code execution on the server, depending on the database server's configuration and the attacker's SQL skills.
The vulnerability stems from a lack of proper input validation and sanitization of the sSQL parameter within the Phorum 3.0.7 codebase. Specifically, the read.php3 and other scripts directly incorporate the user-supplied sSQL parameter into SQL queries without any filtering or escaping. This allows attackers to inject malicious SQL code, such as commands to retrieve sensitive data, modify database contents, or even execute operating system commands through stored procedures or extended stored procedures if the database server is configured to allow it. The root cause is the absence of a secure coding practice, failing to implement parameterized queries or prepared statements, which would have prevented the injection of malicious SQL code.