|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 109
Members: 0
Total: 109
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
2 new Vulnerabilities 2.0.17 |
|
Posted: Mon Oct 31, 2005 8:53 pm |
|
|
WaterBird |
Active user |
|
|
Joined: May 16, 2005 |
Posts: 37 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Mon Oct 31, 2005 11:21 pm |
|
|
chapinhack |
Beginner |
|
|
Joined: Nov 01, 2005 |
Posts: 1 |
|
|
|
|
|
|
|
how to operate this bug? some examples? |
|
|
|
|
Posted: Tue Nov 01, 2005 1:00 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Read it properly chapinhack
Quote: | phpBB is prone to multiple unspecified vulnerabilities. Some of these issues result from insufficient sanitization of user-supplied data, however, the causes and impacts of other issues were not specified.
phpBB 2.0.17 and prior versions are affected by these issues.
Due to a lack of information, further details cannot be provided at the moment. It is possible that some of these issues were reported prior to the release of this record. This BID will be updated when more information becomes available. | |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
Posted: Tue Nov 01, 2005 6:34 am |
|
|
g30rg3_x |
Active user |
|
|
Joined: Jan 23, 2005 |
Posts: 31 |
Location: OutSide Of The PE |
|
|
|
|
|
|
i think most of this "fixes" just make for improvemmed...
as now i just see some and they are just for performarce, i didn't see at all because it is a large list...
but if i found one, i would make a full description...
grettings from mexico |
|
Last edited by g30rg3_x on Tue Nov 01, 2005 3:45 pm; edited 1 time in total |
|
|
|
Posted: Tue Nov 01, 2005 7:03 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Not just that but there was a way to by pass the register globals disabling in the phpBB script. |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
Posted: Tue Nov 01, 2005 3:43 pm |
|
|
g30rg3_x |
Active user |
|
|
Joined: Jan 23, 2005 |
Posts: 31 |
Location: OutSide Of The PE |
|
|
|
|
|
|
yeah but is still hard for bypass register_globals
but we can make a just little code for PoC...
grettings shai-tan |
|
|
|
|
|
|
|
|
Posted: Tue Nov 01, 2005 4:49 pm |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Not as hard as you might think.
Quote: | Bypass Vulnerabilities
----------------------
[1] In PHP5 <= 5.0.5 it is possible to register f.e. the global
variable $foobar by supplying a GET/POST/COOKIE variable
with the name 'foobar' but also by supplying a GPC variable
called 'GLOBALS[foobar]'. If the variable is supplied in
that way, the code above will not try to unset $foobar, but
$GLOBALS, which completely bypasses the protection.
[2] When the session extension is not started by a call to
session_start(), PHP does not know about the variables
$_SESSION or $HTTP_SESSION_VARS, which means, it is possible
to fill them with any value if register_globals is turned on.
Combined with the fact (that was even documented in the phpBB
code), that array_merge() will fail in PHP5, when at least
one of the parameters is not an array, it is possible for an
attacker to simply set HTTP_SESSION_VARS to a string and let
the complete protection fail, because $input ends up empty.
[3] When register_long_array is turned off PHP does not know
anymore about all the HTTP_* variables. This means they can
be filled with anything that is completely unrelated to the
existing global variables. It is obvious that the protection
cannot work, when this configuration is choosen.
Additonally to the 3 possible ways to bypass the globals
deregistration code, several not properly initalised variables
were disclosed to the vendor, that can even lead to remote code
execution. |
And once you have done so this is the options you can look at.
Quote: |
Not properly initialised variables
----------------------------------
[1] Within usercp_register.php the variable 'error_msg' is not
properly initialised and can therefore be used to inject
arbitrary HTML code
[2] Within login.php the variable 'forward_page' is not properly
initialised and can be used to inject arbitrary HTML code
[3] Within search.php the variable 'list_cat' is not properly
initialised and can be used to inject arbitrary HTML
[4] Within usercp_register.php the variable 'signature_bbcode_uid'
is not properly initialised and can be used for SQL injection
of arbitrary 'field=xxx' statements into queries operating
on the user table, when magic_quotes_gpc is turned off.
[5] The same variable [4] can be used to inject f.e. the 'e'
modifier into the first parameter of a preg_replace()
statement, which means, that the second parameter is
evaluated as PHP code. Because the second parameter is
entirely filled with the user supplied signature, it is
possible to execute any PHP code. This can be exploited,
no matter if magic_quotes_gpc is turned on or off, just
2 different code paths need to be triggered. |
Glad to see you again g30rg3_x. |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
Posted: Tue Nov 01, 2005 7:49 pm |
|
|
Tomanas |
Active user |
|
|
Joined: Jan 30, 2005 |
Posts: 29 |
|
|
|
|
|
|
|
ok, i read whole document and i still don't know how to exploit that bug |
|
|
|
|
Posted: Wed Nov 02, 2005 1:15 am |
|
|
g30rg3_x |
Active user |
|
|
Joined: Jan 23, 2005 |
Posts: 31 |
Location: OutSide Of The PE |
|
|
|
|
|
|
Thank you shai-tan...
with this i think i can make a little PoC
grettings |
|
Last edited by g30rg3_x on Thu Nov 03, 2005 2:50 pm; edited 1 time in total |
|
|
|
Posted: Wed Nov 02, 2005 2:17 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
Posted: Wed Nov 02, 2005 10:44 pm |
|
|
WaterBird |
Active user |
|
|
Joined: May 16, 2005 |
Posts: 37 |
|
|
|
|
|
|
|
as always waiting for an exploit |
|
|
|
|
Posted: Thu Nov 03, 2005 12:48 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Best and most satisfying is learning how to make them your-self. And then making them
Shai-tan |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
Posted: Thu Nov 03, 2005 2:48 am |
|
|
WaterBird |
Active user |
|
|
Joined: May 16, 2005 |
Posts: 37 |
|
|
|
|
|
|
|
shai-tan wrote: | Best and most satisfying is learning how to make them your-self. And then making them
Shai-tan |
Don't have mutch time to do that Work etc :} Maybe some day :] |
|
|
|
|
Posted: Thu Nov 03, 2005 3:07 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
lolz it seems time is everones reason! lolz |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
Posted: Thu Nov 03, 2005 2:49 pm |
|
|
g30rg3_x |
Active user |
|
|
Joined: Jan 23, 2005 |
Posts: 31 |
Location: OutSide Of The PE |
|
|
|
|
|
|
like everybody i dont have really much time...
but i'm researching for exploit or well know in IT Security as Proof-Of-Concept, obviously i dont have enought time to do that rapidly...
so, like shai-tan says its very satisfying learning how to make by your-seld, than just wait for a new exploit/PoC and just used for be just another "deface kiddie or script kiddie"...
grettings from mexico shai-tan && waterbird |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|