[22116] in bugtraq
Re: phpBB 1.4.0 bug leads to easy admin privileges
daemon@ATHENA.MIT.EDU (Paul Burney)
Fri Aug 3 18:36:53 2001
Date: Fri, 03 Aug 2001 15:01:36 -0700
From: Paul Burney <burney@gseis.ucla.edu>
To: <bugtraq@securityfocus.com>
Message-ID: <B7906D50.3813%burney@gseis.ucla.edu>
In-Reply-To: <20010803195128.28174.qmail@securityfocus.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
on 8/3/01 12:51 PM, kill-9@modernhackers.com (kill-9@modernhackers.com)
wrote:
> found by: kill-9@modernhacker.com
> http://www.modernhacker.com
I don't know whether or not kill-9 notified anyone about his exploit before
posting. He also didn't mention a fix for the problem. One fix can be
found at:
<http://www.game-mods.com/prefs.php.txt>
I didn't write the code but saw it on the phpBB support forum.
Please note there is a slight typo in the file. The correct lines to add
around line 51 in prefs.php are:
$fviewemail = str_replace('=','',$viewemail);
$fthemes = str_replace('=','',$themes);
$fsig = str_replace('=','',$tsig);
$fsmile = str_replace('=','',$smile);
$fdishtml = str_replace('=','',$dishtml);
$fdisbbcode = str_replace('=','',$disbbcode);
$flang = str_replace('=','',$lang);
$sql = "UPDATE users SET user_viewemail='$fviewemail',
user_theme='$fthemes', user_attachsig = '$fsig', user_desmile = '$fsmile',
user_html = '$fdishtml', user_bbcode = '$fdisbbcode', user_lang = '$flang'
WHERE (user_id = '$userdata[user_id]')";
There may be other bugs in the code in other files that can be exploited in
a similar fashion, but this resolves one immediate threat.
Another user named mmj on the boards mentioned:
> Removing the = signs in all the variables is one solution. Using addslashes()
> on all the variables in an alternative solutions.
Hope that helps.
Sincerely,
Paul Burney
+-------------------------+---------------------------------+
| Paul Burney | P: 310.825.8365 |
| Webmaster && Programmer | E: <webmaster@gseis.ucla.edu> |
| UCLA -> GSE&IS -> ETU | W: <http://www.gseis.ucla.edu/> |
+-------------------------+---------------------------------+
