what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Hardened-PHP Project Security Advisory 2005-17.75

Hardened-PHP Project Security Advisory 2005-17.75
Posted Nov 1, 2005
Authored by Stefan Esser, Hardened-PHP Project | Site hardened-php.net

phpBB versions 2.0.17 and below are susceptible to multiple cross site scripting and SQL injection flaws.

tags | advisory, xss, sql injection
SHA-256 | b87a7fdac987ea5f043c9ea4c2452f356b8ee2127f77b05d8e0b347a4f218b3e

Hardened-PHP Project Security Advisory 2005-17.75

Change Mirror Download
Hash: SHA1

Hardened-PHP Project

-= Security Advisory =-

Advisory: phpBB Multiple Vulnerabilities
Release Date: 2005/10/31
Last Modified: 2005/10/31
Author: Stefan Esser [sesser@hardened-php.net]

Application: phpBB <= 2.0.17
Severity: Multiple vulnerabilities allow XSS, SQL injection
and remote code execution
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_172005.75.html


Quote from www.phpbb.com:
"phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database
servers, phpBB is the ideal free community solution for all
web sites."

Because of our research into register_globals deregistration
codes, the implementation within phpBB was audited and several
weaknesses were found, that allowed to completely bypass the
protection on PHP5 servers.

After these weaknesses were found and disclosed to the vendor
nearly 80 days ago, several problems with unitialised variables
were discovered that allow XSS, SQL injection and even remote
execution of arbitrary PHP code, when phpBB is used with
register_globals turned on.

While register_globals=off is the recommended setting, most web-
hosters, even those that actually run PHP5, still have it
enabled because it is their customers wish.


To get rid of possible security problems caused by not properly
initialised variables phpBB comes with the following piece of
code, that is intended to deregister global variables, which were
created because of the register_globals directive. Unfortunately
there are atleast 3 ways to bypass the protection.

// PHP4+ path
$not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS',
'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');

// Not only will array_merge give a warning if a parameter
// is not an array, it will actually fail. So we check if
// HTTP_SESSION_VARS has been initialised.
if (!isset($HTTP_SESSION_VARS))

// Merge all into one extremely huge array; unset
// this later
$input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS,


while (list($var,) = @each($input))
if (!in_array($var, $not_unset))


Bypass Vulnerabilities

[1] In PHP5 <= 5.0.5 it is possible to register f.e. the global
variable $foobar by supplying a GET/POST/COOKIE variable
with the name 'foobar' but also by supplying a GPC variable
called 'GLOBALS[foobar]'. If the variable is supplied in
that way, the code above will not try to unset $foobar, but
$GLOBALS, which completely bypasses the protection.

[2] When the session extension is not started by a call to
session_start(), PHP does not know about the variables
$_SESSION or $HTTP_SESSION_VARS, which means, it is possible
to fill them with any value if register_globals is turned on.
Combined with the fact (that was even documented in the phpBB
code), that array_merge() will fail in PHP5, when at least
one of the parameters is not an array, it is possible for an
attacker to simply set HTTP_SESSION_VARS to a string and let
the complete protection fail, because $input ends up empty.

[3] When register_long_array is turned off PHP does not know
anymore about all the HTTP_* variables. This means they can
be filled with anything that is completely unrelated to the
existing global variables. It is obvious that the protection
cannot work, when this configuration is choosen.

Additonally to the 3 possible ways to bypass the globals
deregistration code, several not properly initalised variables
were disclosed to the vendor, that can even lead to remote code

Not properly initialised variables

[1] Within usercp_register.php the variable 'error_msg' is not
properly initialised and can therefore be used to inject
arbitrary HTML code

[2] Within login.php the variable 'forward_page' is not properly
initialised and can be used to inject arbitrary HTML code

[3] Within search.php the variable 'list_cat' is not properly
initialised and can be used to inject arbitrary HTML

[4] Within usercp_register.php the variable 'signature_bbcode_uid'
is not properly initialised and can be used for SQL injection
of arbitrary 'field=xxx' statements into queries operating
on the user table, when magic_quotes_gpc is turned off.

[5] The same variable [4] can be used to inject f.e. the 'e'
modifier into the first parameter of a preg_replace()
statement, which means, that the second parameter is
evaluated as PHP code. Because the second parameter is
entirely filled with the user supplied signature, it is
possible to execute any PHP code. This can be exploited,
no matter if magic_quotes_gpc is turned on or off, just
2 different code paths need to be triggered.

Proof of Concept:

The Hardened-PHP project is not going to release exploits for any
of these vulnerabilities to the public.

Disclosure Timeline:

14. August 2005 - First contact with vendor through their
security bugtracker.
30. October 2005 - Vendor released new version.
31. October 2005 - Public disclosure.


It is strongly recommended to upgrade to the new phpBB release
or to switch to another bulletin board application.

You can get the new phpBB release at:




pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By