Waraxe IT Security Portal

darkclaw · Regular user

PhpBB - [img][/img] vulnerability

Affected: phpBB 2.0.17 and most likely below.

Discovered by: Easyex.

Create a folder on a remote host like 'exploit.jpg' and then we would put the following in our signature:

zer0-c00l · Advanced user

any examples of the malicious html code?

Tomanas · Active user

yeah, i would be interesting what kind of malicious code you can insert Wink

----edit:
well i tried to insert this script:
<?
echo 'HOST: '.$dbhost.'<BR>dbNm: '.$dbname.'<BR>USER: '.$dbuser.'<BR>PASS: '.$dbpasswd.'<BR>TABLE PREFIX: '.$table_prefix;
?>
But nothing happened.....one more question, from where did you got this vuln ?
----edit 2:
man, you made a "little" mistake, Easyex found a bbcode img vuln *NOT* in the phpBB, but *IN* the php fusion.......shit, man, you made me laugh...
Here's the poc: http://www.milw0rm.com/id.php?id=1135

darkclaw · Regular user

Tomanas · Active user

no hard feelings nigga ;-] when i googled, at first i found that it's a php-fusion exploit, so nevermind Wink

LordLucan · Beginner

I need a little help here as I am new to php. Does this just run the html or php file in the browsers of the people using the forum or can the index.php file be used to interact with the forum database?

If the index.php file can interact with the database could someone post an example of some code that could be saved as index.php that would allow me to do this? For example to extract users passwords.

Sorry if this sounds like a typical newbies "teach me to hack" question but I would appreciate anyone helping me to learn.

If it just runs the file in the users browser what sort of code could be used? Would it just be something like using IE Exploiter code to download trojans on to the users machines or what?

Much thanks to anyone who can hellp me learn Smile

shai-tan · Valuable expert

Wow this is the most confussing post.... Well I dont care so if I added something along the lines of this perhaps

beford · Beginner

i havn't tested this, but i dont think that it will allow any server side php execution. I guess that it's only for XSS. (steal cookies)

Tomanas · Active user

yeah, as i was talking to this bug's founder, he said, that it's impossible to get info from let a say config.php.....so i think it's just ant xss bug....well, lets wait for a genius, who will write something useful.... Smile

lunix · Regular user

This is silly. Its obvious that it has no potential at all.
The person who claims they "discovered an exploit" needs a slap
From reading the posts it looks like you people dont even know HTML.

By putting a url between [bbcode] you are simulating html.
The scripts will then replace [img] with <img src=" and [/img] with ">

This means the browser is expecting an image and will treat the data it recieves as an image. It will not include any php, it will not render html, it will not execute javascript. It will only display an image.
The only way this would work is if you use a php script that produces an image (GD library), and that has no potential for an exploit either.

The complete lack of any POC makes me think the the person who claimed to have discovered an exploit knows absolutly nothing.

now, Think about it. Rolling Eyes

Damn skiddies.... people dont even think any more.

thanks.

shai-tan · Valuable expert

We are not all script kiddies here mate Wink

Easyex · Regular user

Obviously you don't know what your talking about.

It wont run a php script will it? Ahh yes that's why i have already showed proof to PhpBB's support team (NeoThermic) and they came up with even more ways to fake an image and enter data via a php file and execute it so.. yeah think again before you speak.

NeoThermic from PhpBB confirmed the vuln, but you wont be able to gain access it simply loads the php script file from a remote server.. (you can get the header to send to a logout, and do other pointless stuff)

Regards,

Easyex.

lunix · Regular user

The PHP will NOT be run on the server you are trying to exploit.
It will be run on YOUR server. so there is no XSS possability.
Then the image headers are sent to the browsers and an image is downloaded.
OMFG!! AN IMAGE!! 1337!!! Rolling Eyes

post the POC if yor so sure its an exploit. Seems so be a lot of guff and no substance.

People have been using php images for years.
The script is NOT being run on in target server, its run in your server.
The script is NOT included in the page on the remote server, an image is downloaded client side. This has no more potential that an ordinary png image.

BTW.
if it is an exploit or flaw (which is ins't) then it will be impossible to patch it without banning images completely.

Easyex · Regular user

Go talk to NeoThermic from PhpBB and then find out.

No it does not execute on the PhpBB server.

It executes once the page is loaded, It wont show javascript, it wont show the php script it will only execute what ever is inside it.

And i'll say it again go get in contact with NeoThermic from PhpBB's support team and he will tell you the same thing i have.

You cant gain access to PhpBB but you can still do certian things with it.

We already tested this and PhpBB confirmed it, Would PhpBB confirm it if it didn't work? ...

So shut up already you fool.

lunix · Regular user

post a proof of concept code then if your so confident this will have an effect.

we tried every possability 18 months ago, nothing would work.
Because you are using img tags it only has the ability to display an image, so image headers are sent. That means the browser will only treat what it recieves as an image. nothing executes client side or server side.
Only the script on your server will run, and it can only output an image.

If this has any chance of working then ALL images would work, not just gd library.

By using a folder called image.gif and putting the script in it as index.php you are simulating the mod_rewrite function of linux servers.
Nothing more.

so, lets see some proof of concept.