Hi.

Another phpBB admin access bug was reported to us by David Danier, this
one in bb_profile.php. The summary is below. David's original message
is available at:

http://www.securitytracker.com/alerts/2001/Aug/1002163.html

Stuart

-------------------------------------------------------------------
Title: phpBB Bulletin Board bb_profile.php Bug Lets Remote Users Obtain
Administrative Access to the Bulletin Board

Vendor: phpBB Group

Date: Aug 8 2001 23:21 (UTC/GMT)

Impact: User access via network

Version(s): 1.4.1, possibly earlier versions

Description: Another input validation vulnerability has been reported
in phpBB bulletin board. Remote users can exploit this bug to gain
administrative access to the board.

The vulnerability is reportedly the same type of problem as was recently
reported with the prefs.php module. The bug reportedly resides in the
bb_profile.php module.

A remote but registered user can open bb-profile and modify the HTML
form action tag and the 'viewemail' checkbox variable, changing it to a
textfield with contents "1', user_level='4". By submitting this modified
form, the remote user can gain administrative access on the bulletin
board.
                   
Impact: A remote user that is a registered user on the bulletin board
can obtain administrator access on the bulletin board.

Solution: No vendor solution was available at the time of this entry.
The author of the report has provided the following fix:

  add "$viewemail = (ereg("^[0-1]+$", $viewemail))
  ?
  $viewemail : '0';" before the mysql update procedure

Vendor URL: www.phpbb.com/

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any)

Reported By: "David Danier" <golk gmx.net>

-------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]