re: About phpbb vulnerability

From: Anders Blockmar (anders.blockmar_at_exicom.se)
Date: 01/29/04

  • Next message: saliskor_at_cyberus.ca: "Domain HiJacking by SPAMMERS" 
    To: "'Marc Soler'" <msoler@el-valles.com>, security-basics@securityfocus.com
Date: Thu, 29 Jan 2004 09:17:46 +0100

    What version of PHP are you using?

    I don't know anyting about phpbb but there was an upload-related security
    hole in PHP in genereal a few versions back.

    I have searched http://www.securityfocus.com/bid/ without finding any
    upload-bugs for phpbb. There is quite alot of other bugs thou.

    regard,

    Anders

    > -----Ursprungligt meddelande-----
    > Från: Marc Soler [mailto:msoler@el-valles.com]
    > Skickat: den 28 januari 2004 19:39
    > Till: security-basics@securityfocus.com
    > Ämne: About phpbb vulnerability
    >
    >
    > Hi all,
    >
    > Someone knows that it has been noticed some bug in phpbb that
    > allows bad boys to upload file to the server when phpbb is installed?
    > (Phpbb is a extended PHP-based board bulletin.)
    >
    > We have hack problems in our server and we suspect that is
    > from php scripts
    > uploaded using some phpbb hole.
    >
    > I have googled about some known phpbb holes, but I haven't found
    > anything about upload files vulnerability.
    >
    > Someone have information related?
    >
    > Thanks in advance.
    >
    > PS: Sorry about my no-native english
    >
    > --
    > Marc Soler
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------

  • Next message: saliskor_at_cyberus.ca: "Domain HiJacking by SPAMMERS"

    Relevant Pages

    • phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
      ... phpBB 2.0.17 Cookie disclosure exploit. ... I sent the report to phpBB and they said that a patch will be available withing a few days and It will be integrated into 2.0.18. ... All phpBB systems allowing "Upload Avatar from URL" and most likely all other systems ...
      (Bugtraq)
    • [Full-disclosure] phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
      ... phpBB 2.0.17 Cookie disclosure exploit. ... I sent the report to phpBB and they said that a patch will be available ... All phpBB systems allowing "Upload Avatar from URL" and most ... if we could upload such a file to a server that allows image upload we ...
      (Full-Disclosure)
    • Re: NEW SCANNER SITE
      ... forum, change the permissions, change catagories, mod and admin access ... ftp and then "install" in phpbb admin in order to change.... ... Or just learn enough PHP to rewrite the files, then upload them. ...
      (rec.radio.scanner)
    • Re: Slightly OT; Opinions on Forum type software
      ... I like the php look much better so far. ... | there should be a script in the distro for the forum that has a script to ... dunno how/why they run phpbb with access but they said they did. ... As for Snitz vs. phpbb, ...
      (microsoft.public.frontpage.client)
    • RE: [PHP] phpbb / sessionid nightmare
      ... phpbb / sessionid nightmare ... I know just enough about php to be dangerous! ...
      (php.general)