what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpbb2013.txt

phpbb2013.txt
Posted Mar 4, 2005
Authored by Paisterist | Site neosecurityteam.tk

phpBB 2.0.13 fails to properly sanitize some variables in the usercp_register.php script.

tags | exploit, php
SHA-256 | 0752a9f2af60d8528ee32be5f69a3cf658ac23e6660bd352fd557917bff6672f

phpbb2013.txt

Change Mirror Download


/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #08 - 29/02/05
--------------------------------------------------------
Program: phpBB 2.0.13
Homepage: http://www.phpbb.com
Vulnerable Versions: phpBB 2.0.13 & Lower versions
Risk: Low Risk
Impact: bbcode, smilies, and html not bad filtered en usercp_register.php

phpBB 2.0.13 Bad filtered in usercp_register.php
---------------------------------------------------------

- Description
---------------------------------------------------------
phpBB is an Open Source project that is developed of a big comunnity of programmers. It has suport for a lot of databases, like Oracle, MSSQL, MySql, PostGres, etc, and is one of the more useds precompilateds packages.

- Tested
---------------------------------------------------------
I tested this bug in localhost and other forums

- Explotation
---------------------------------------------------------
The bad code is in the usercp_register.php file. The next part of the code is the vulnerable:

$allowhtml = ( isset($HTTP_POST_VARS['allowhtml']) ) ? ( ($HTTP_POST_VARS['allowhtml']) ? TRUE : 0 ) : $board_config['allow_html'];
$allowbbcode = ( isset($HTTP_POST_VARS['allowbbcode']) ) ? ( ($HTTP_POST_VARS['allowbbcode']) ? TRUE : 0 ) : $board_config['allow_bbcode'];
$allowsmilies = ( isset($HTTP_POST_VARS['allowsmilies']) ) ? ( ($HTTP_POST_VARS['allowsmilies']) ? TRUE : 0 ) : $board_config['allow_smilies'];

If we specify a variable in the html code (any type: hidden, text, radio, check, etc) with the name allowhtml, allowbbcode or
allowsmilies, is going to be on the html, bbcode and smilies in our signature. But this only works for private messages.

In the topics our signature is going to be filtered, but no in the private messages.

- Exploit
---------------------------------------------------------
1 - Copy the html code of the registration page of the vulnerable forum.

2 - Change the form action to the path of the forum and profile.php. Example: http://phpbb.com/phpBB2/profile.php

3 - Add the variable for to enable the bbode, htmlcode or smilies (if they're not) in your private messages. Example:





4 - With your html registration page (modified) you have to register any user with some html code in the signature for test
this bug.

- Solutions
--------------------------------------------------------
At this date there is not any update, but we can change the code of the file usercp_register.php

Vulnerable:

$allowhtml = ( isset($HTTP_POST_VARS['allowhtml']) ) ? ( ($HTTP_POST_VARS['allowhtml']) ? TRUE : 0 ) : $board_config['allow_html'];
$allowbbcode = ( isset($HTTP_POST_VARS['allowbbcode']) ) ? ( ($HTTP_POST_VARS['allowbbcode']) ? TRUE : 0 ) : $board_config['allow_bbcode'];
$allowsmilies = ( isset($HTTP_POST_VARS['allowsmilies']) ) ? ( ($HTTP_POST_VARS['allowsmilies']) ? TRUE : 0 ) : $board_config['allow_smilies'];

Fixed:

$allowhtml = ( $board_config['allowhtml']) ) ? TRUE : 0;
$allowbbcode = ( $board_config['allowbbcode']) ) ? TRUE : 0;
$allowsmilies = ( $board_config['allowsmilies']) ) ? TRUE : 0;



- References
--------------------------------------------------------
http://neosecurityteam.tk/index.php?pagina=advisories&id=8


- Credits
-------------------------------------------------
Discovered by Paisterist

[N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.tk/

Any Question? paisterist.nst[at]gmail[dot]com

Irc.InfoGroup.cl #neosecurityteam

- Greetz
--------------------------------------------------------
Hackzatan
T0wn3r
Crashcool
Daemon21
Merlin
Maxx
Arcanhell

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close