Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

-==phpBB 2.0.12 Full path disclosure==-

from [HaCkZaTaN] Network Security [Permanent Link]
Subject: -==phpBB 2.0.12 Full path disclosure==-
Date: 26 Feb 2005 11:29:08 -0000 


/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]. - Advisory #06 - 25/02/05
--------------------------------------------------------
Program:  phpBB 2.0.12
Homepage:  http://www.phpbb.com
Vulnerable Versions: phpBB 2.0.12 & Lower versions
Risk: Low Risk!!
Impact: Full path disclosure

      -==phpBB 2.0.12 Full path disclosure==-
---------------------------------------------------------

- Description
---------------------------------------------------------
phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
phpBB is the ideal free community solution for all web sites.

- Tested
---------------------------------------------------------
localhost & many forums

- Explotation
---------------------------------------------------------
phpBB/viewtopic.php?p=6&highlight=\[HaCkZaTaN]

It'll come out something like this.

Warning: Compilation failed: missing terminating ] for
character class at offset 20 in /home/nst/forum/viewtopic.php(1110) :
regexp code on line 1

It'll give a full path disclosure and also one thing that i noticed is
that the posts change it doesn't come out nothing.
In the HighLight Variable

Here is the problem:
-----[ Start Vuln Code ] ------------------------------------

1106: if ($highlight_match)
1107: {
1108: // This was shamelessly 'borrowed' from volker at multiartstudio dot de
1109: // via php.net's annotated manual
1110: $message = str_replace('\"', '"', 
substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . 
$highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . 
"\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
1111: }

-----[ Ends Vulns Code ] ------------------------------------
Don't borrow stuff lol.

- Exploit
---------------------------------------------------------
Not Yet xD
 
- Solutions
--------------------------------------------------------
Not Yet xD

OK other thing that i noticed was in php.ini

magic_quotes_gpc = On
magic_quotes_sybase = Off

you have to turn both of them ON

- References
--------------------------------------------------------
http://neossecurity.net/Advisories/Advisory-06.txt


- Credits
-------------------------------------------------
Discovered by HaCkZaTaN <hck_zatan@hotmail.com>

[N]eo [S]ecurity [T]eam [NST]. - http://neossecurity.net/

Got Questions? http://neossecurity.net/

Irc.InfoGroup.cl #neosecurityteam

- Greets
--------------------------------------------------------
           Paisterist
           T0wn3r
           Heap
           Nitrous
           CrashCool
           eL_mEsIaS
           Makoki

           And my Colombian people

        @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
        '@@@@@''@@'@@@''''''''@@''@@@''@@
        '@@'@@@@@@''@@@@@@@@@'''''@@@
        '@@'''@@@@'''''''''@@@''''@@@
        @@@@''''@@'@@@@@@@@@@''''@@@@@
*/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • -==phpBB 2.0.12 Full path disclosure==-, HaCkZaTaN <=
Previous by Date:  Re: Firescrolling [Firefox 1.0], btrq
Next by Date:  Re: [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion, Calum Power
Previous by Thread:  [Full-Disclosure] More T-Mobile fall out..., pingywon
Next by Thread:  Knet <= 1.04c Buffer Overflow Bug, CorryL
Indexes:  [Date] [Thread] [Top] [All Lists]