phpbb 2.0.13 Exploit (bug)

From: tOnk3r (m_at_spywire.net)
Date: 03/25/05

  • Next message: Gerardo Astharot Di Giacomo: "ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6" 
    Date: Fri, 25 Mar 2005 21:09:46 +0200
To: bugtraq@securityfocus.com

    ------------------------------------------------------------------------
    # phpBB 2.0.13 failure to reset user level after failed exploit
    # discovered By : tOnk3r
    # e-mail : m[at]spywire[dot]net
    # date : 22-march-05
    # shouts: pureone, spywire.net crew , and everybody i know!
    # Versions affected : ALL versions upto and including 2.0.13
    # status : vendor notified (phpbb)
    ------------------------------------------------------------------------

    phpBB is a high powered, fully scalable, and highly customisable open-source
    bulletin board package. phpBB has a user-friendly interface, simple and
    straightforward administration panel, and helpful FAQ. Based on the powerful
    PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
    Access/ODBC

    database servers, phpBB is the ideal free community solution for all web
    sites.

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    This exploit is an extention of the phpbb 2.0.12 boolean exploit that
    can be found here http://www.spywire.net/forum/viewtopic.php?t=781 .

    This exploit works because the login allows true boolean strings to
    be entered in place of the password hash and session id.
    It allows an attacker to login as any user without having to enter
    any authentication by editing a cookie and sending it back to the site.

    The bug i discovered is a bug in the user privlage reset.
    After trying to exploit a patched forum the user remains as admin,
    even though the forum is patched. The forum fails to reset the
    attackers status to guest after a failed exploit.

    The attacker is able to view invisible members and the "admin control
    pannel" link

    but is unable to navigate the forum as admin.

    With some more investigation im certain a critical exploit can be found.
    but so far i am unable to keep admin status after clicking another link.

    '''''''''''''''''''''''''''
          ][=-tOnk3r-=][
    '''''''''''''''''''''''''''

    if you have any more info on this bug please notify me
    either at m[at]spywire[dot]net
    or at www.spywire.net/forum

  • Next message: Gerardo Astharot Di Giacomo: "ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6"

    Relevant Pages

    • List of all admin accounts in phpBB
      ... After discovering 'highlight' vulnerability in phpBB, ... It is very hard to find secret admin accounts if the forum has too ...
      (Bugtraq)
    • Re: Slightly OT; Opinions on Forum type software
      ... I like the php look much better so far. ... | there should be a script in the distro for the forum that has a script to ... dunno how/why they run phpbb with access but they said they did. ... As for Snitz vs. phpbb, ...
      (microsoft.public.frontpage.client)
    • Re: Slightly OT; Opinions on Forum type software
      ... asp is just easier on my brain than php and FrontPage gets ... To replace a High School Alumni forum that I've been hosting on Delphi for a zillion years. ... dunno how/why they run phpbb with access but they said they did. ...
      (microsoft.public.frontpage.client)
    • Re: Slightly OT; Opinions on Forum type software
      ... trust me the php/ my sql stuff isn't so bad. ... http://aspportal.net it's got a "forum" of sorts built into it. ... dunno how/why they run phpbb with access but they said they did. ... Actually I have another Linux host that has MySQL for free, ...
      (microsoft.public.frontpage.client)
    • Re: If I were too...
      ... phpBB looks like this: http://www.phpbb.com/phpBB/, ... and is a great forum design and it offers many more features than a forum ... I won't be joining you - mainly because I'm not a fan of web ...
      (rec.juggling)