[22133] in bugtraq
Re: phpBB 1.4.0 bug leads to easy admin privileges
daemon@ATHENA.MIT.EDU (Joao Gouveia)
Mon Aug 6 05:37:32 2001
Message-ID: <003e01c11d19$19eb6650$0c00a8c0@DOMCORBUSIER.TESTES>
From: "Joao Gouveia" <tharbad@kaotik.org>
To: <bugtraq@securityfocus.com>
Date: Sat, 4 Aug 2001 20:10:18 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi all,
This is regarding a phpBB security hole found some months ago.
Since this one came out, and the other ( beeing a lot worst ) didn't, I
thought it might have some interest.
This aplies only to phpBB v1.4.0.
-----
----- Original Message -----
From: "UnderSpell" <underspell@accao.net>
To: <james@phpbb.com>
Sent: Thursday, May 17, 2001 12:15 PM
Subject: Security bug in phpBB
>
>
> His there!
>
> We've recente ( actually not so recently ) discover a way to run any code
> using phpBB.
>
> The aproach was very simple :
> At a given point you run a eval "eval($l_statsblock);" .
> Since $l_statsblock is a language var we just have to find a way set up
> us with a invalid lang file:
> after login , go to user prefs and
>
http://hacks.phpbb.com/phpBB/prefs.php?viewemail=1&savecookie=0&sig=0&smile=
0&dishtml=0&disbbcode=0&themes=2&lang=THIS_IS_AN_INVALID_LANG_FILE&save=1&us
er=&submit=Gravar+Prefer%EAncias
> By this time $l_statsblock is no longer initialized so we can do funny
> stuff whith them , like :
> http://hacks.phpbb.com/phpBB/prefs.php?l_statsblock=phpinfo();
> or
>
http://hacks.phpbb.com/phpBB/prefs.php?teste=/etc/passwd&l_statsblock=includ
e($teste);
> and so on ... we only check the phpinfo against hack forum and the second
> against my production and stagging boards.
>
> You have tow ways to fix this :
>
> 1 ) Check if lang file exists ( when tries to include )
>
> --- phpBB-1.4.0/auth.php Wed Apr 25 05:47:59 2001
> +++ phpBB/auth.php Thu May 17 12:11:01 2001
> @@ -273,16 +273,19 @@
> // Include the appropriate language file.
> if(!strstr($PHP_SELF, "admin"))
> {
> - include('language/lang_'.$default_lang.'.'.$phpEx);
> + $langfile = 'language/lang_'.$default_lang.'.'.$phpEx;
> }
> else
> {
> if(strstr($PHP_SELF, "topicadmin")) {
> - include('language/lang_'.$default_lang.'.'.$phpEx);
> - } else {
> - include('../language/lang_'.$default_lang.'.'.$phpEx);
> - }
> + $langfile ='language/lang_'.$default_lang.'.'.$phpEx;
> + } else {
> + $langfile = '../language/lang_'.$default_lang.'.'.$phpEx;
> + }
> }
> +
> + if ( ! file_exists($langfile) ) { die("Invalid Language");}
> + else { include($langfile); }
>
> // See if translated pictures are available..
> $header_image = get_translated_file($header_image);
>
>
> // See if translated pictures are available..
> $header_image = get_translated_file($header_image);
>
> 2 ) Initialize $l_statsblock before trying to include ( prefered )
>
> --- phpBB-1.4.0/auth.php Wed Apr 25 05:47:59 2001
> +++ phpBB/auth.php Thu May 17 11:39:33 2001
> @@ -269,6 +269,7 @@
> // set vars for all scripts
> $now_time = time();
> $last_visit = $temptime;
> +$l_statsblock = '';
>
> // Include the appropriate language file.
> if(!strstr($PHP_SELF, "admin"))
>
>
>
> Credits for this should go for tharbad@kaotik.org and
UnderSpell@accao.net .
>
> (A)UnderSpell
>
---
----- Original Message -----
From: <kill-9@modernhackers.com>
To: <bugtraq@securityfocus.com>
Sent: Friday, August 03, 2001 8:51 PM
Subject: phpBB 1.4.0 bug leads to easy admin privileges
> -New phpBB 1.4.x exploit
> phpBB, is an open source bulletin board created by
> the
> phpBB group. Version 1.4.x of phpBB has a variable
> input
> validation problem that can lead to limited arbitrary sql
> querys including gaining administrative access to the
> board.
(...)
Best regards,
Joao Gouveia
--------------
tharbad@kaotik.org
