Re: phpBB 1.4.0 bug leads to easy admin privileges

From: Paul Burney (burney@gseis.ucla.edu)
Date: 08/04/01 

Date: Fri, 03 Aug 2001 15:01:36 -0700
Subject: Re: phpBB 1.4.0 bug leads to easy admin privileges
From: Paul Burney <burney@gseis.ucla.edu>
To: <bugtraq@securityfocus.com>
Message-ID: <B7906D50.3813%burney@gseis.ucla.edu>

on 8/3/01 12:51 PM, kill-9@modernhackers.com (kill-9@modernhackers.com)
wrote:

> found by: kill-9@modernhacker.com
> http://www.modernhacker.com

I don't know whether or not kill-9 notified anyone about his exploit before
posting. He also didn't mention a fix for the problem. One fix can be
found at:

<http://www.game-mods.com/prefs.php.txt>

I didn't write the code but saw it on the phpBB support forum.

Please note there is a slight typo in the file. The correct lines to add
around line 51 in prefs.php are:

$fviewemail = str_replace('=','',$viewemail);
$fthemes = str_replace('=','',$themes);
$fsig = str_replace('=','',$tsig);
$fsmile = str_replace('=','',$smile);
$fdishtml = str_replace('=','',$dishtml);
$fdisbbcode = str_replace('=','',$disbbcode);
$flang = str_replace('=','',$lang);
$sql = "UPDATE users SET user_viewemail='$fviewemail',
user_theme='$fthemes', user_attachsig = '$fsig', user_desmile = '$fsmile',
user_html = '$fdishtml', user_bbcode = '$fdisbbcode', user_lang = '$flang'
WHERE (user_id = '$userdata[user_id]')";

There may be other bugs in the code in other files that can be exploited in
a similar fashion, but this resolves one immediate threat.

Another user named mmj on the boards mentioned:

> Removing the = signs in all the variables is one solution. Using addslashes()
> on all the variables in an alternative solutions.

Hope that helps.

Sincerely,

Paul Burney

+-------------------------+---------------------------------+
| Paul Burney | P: 310.825.8365 |
| Webmaster && Programmer | E: <webmaster@gseis.ucla.edu> |
| UCLA -> GSE&IS -> ETU | W: <http://www.gseis.ucla.edu/> |
+-------------------------+---------------------------------+

Relevant Pages

  • Re: [Full-Disclosure] New phpBB ViewTopic.php Cross Site Scripting Vulnerability (with fix)
    ... Due PHPBB.COM erased this posting without any comment here just the fix ... > Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability ... Full-Disclosure - We believe in it. ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
    (Full-Disclosure)
  • RE: EXEC exploit in phpBB - fix
    ... I'm neither a coder nor a security expert, but it seems to me that PNphpbb ... Is it safe to assume that the posted fix will work on PNphpbb as well, ... EXEC exploit in phpBB - fix ... Thanks to the bugtraq moderators for moderating out a previous post of ...
    (Bugtraq)
  • [Fwd: phpBB 2.0.16 released]
    ... phpBB Group announces the release of phpBB 2.0.16. ... To fix this, please apply ... The Full Package contains entire phpBB2 ... Fixed bug in usercp_register.php, ...
    (Bugtraq)
  • EXEC exploit in phpBB - fix
    ... changed files and patch based releases which fix this ... phpBB users to implement the fix given in the following announcement at ... Thanks to the bugtraq moderators for moderating out a previous post of ...
    (Bugtraq)
  • Re: phpBB 1.4.0 bug leads to easy admin privileges
    ... phpBB 1.4.0 bug leads to easy admin privileges ... This is regarding a phpBB security hole found some months ago. ...
    (Bugtraq)