List of all admin accounts in phpBB

From: Predrag Damnjanovic (bugtraq_at_mycity.co.yu)
Date: 01/25/05

  • Next message: Mandrake Linux Security Team: "MDKSA-2005:020 - Updated kdegraphics packages fix buffer overflow vulnerability"
    To: bugtraq@securityfocus.com
    Date: Tue, 25 Jan 2005 23:48:20 +0100
    
    
    

    After discovering 'highlight' vulnerability in phpBB, many forums
    were patched, but... it is possible that attackers created a [secret]
    admin accounts...
    It is very hard to find secret admin accounts if the forum has too
    many users... you must check every account...

    So, here is a simple PHP script, that will show a list of all admin
    accounts on your phpBB forum.
    Just simply copy this file to phpBB directory...

    After you find a attacker admin accounts, and remove admin status
    from those accounts, you can delete this script, and of course, you
    should upgrade your phpBB to the latest version.

    A demonstration of this script can be found at
    http://www.mycity.co.yu/phpbb/admin_list.php

    Best regards,
    Predrag Damnjanovic
    http://www.mycity.co.yu/

    
    



  • Next message: Mandrake Linux Security Team: "MDKSA-2005:020 - Updated kdegraphics packages fix buffer overflow vulnerability"