List of all admin accounts in phpBB

From: Predrag Damnjanovic (bugtraq_at_mycity.co.yu)
Date: 01/25/05

  • Next message: Mandrake Linux Security Team: "MDKSA-2005:020 - Updated kdegraphics packages fix buffer overflow vulnerability"
    To: bugtraq@securityfocus.com
    Date: Tue, 25 Jan 2005 23:48:20 +0100
    
    
    

    After discovering 'highlight' vulnerability in phpBB, many forums
    were patched, but... it is possible that attackers created a [secret]
    admin accounts...
    It is very hard to find secret admin accounts if the forum has too
    many users... you must check every account...

    So, here is a simple PHP script, that will show a list of all admin
    accounts on your phpBB forum.
    Just simply copy this file to phpBB directory...

    After you find a attacker admin accounts, and remove admin status
    from those accounts, you can delete this script, and of course, you
    should upgrade your phpBB to the latest version.

    A demonstration of this script can be found at
    http://www.mycity.co.yu/phpbb/admin_list.php

    Best regards,
    Predrag Damnjanovic
    http://www.mycity.co.yu/

    
    



  • Next message: Mandrake Linux Security Team: "MDKSA-2005:020 - Updated kdegraphics packages fix buffer overflow vulnerability"

    Relevant Pages

    • phpbb 2.0.13 Exploit (bug)
      ... # phpBB 2.0.13 failure to reset user level after failed exploit ... The bug i discovered is a bug in the user privlage reset. ... After trying to exploit a patched forum the user remains as admin, ... The attacker is able to view invisible members and the "admin control ...
      (Bugtraq)
    • Re: List of all admin accounts in phpBB
      ... to regular users and User_level of 2 are moderators. ... > admin accounts... ... > It is very hard to find secret admin accounts if the forum has too ... > accounts on your phpBB forum. ...
      (Bugtraq)
    • RE: local admin account password
      ... Subject: local admin account password ... > 4) Only use domain accounts so delete the local ones. ... > The DB file would be encrypted with EFS so only the limited user SQL ... > backup user can make a zip backup of the DB whenever it gets changed ...
      (Focus-Microsoft)
    • RE: local admin account password
      ... Say you have more then 1000 systems, how do you handle the local admin ... Only use domain accounts so delete the local ones. ... The DB file would be encrypted with EFS so only the limited user SQL ... There would be basically two stored procs, ...
      (Focus-Microsoft)
    • local admin account password
      ... Only use domain accounts so delete the local ones. ... 5)My main idea/plan is to store all the passwords on a central SQL server. ... This way you can easily have a different random passwords for the admin ... There would be basically two stored procs, ...
      (Focus-Microsoft)