Waraxe IT Security Portal
Login or Register
November 15, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 82
Members: 0
Total: 82
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> Vulns in Phpbb 2.0.11
Post new topicReply to topic View previous topic :: View next topic
Vulns in Phpbb 2.0.11
PostPosted: Fri Feb 18, 2005 10:24 am Reply with quote
Zeelock
Active user
Active user
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Possible Sql Injection (By Jtm297):

http://www.site.com/phpBB2/index.php/search.php/?search_author=\*\*\*\*\*\*\*\*\*\

Here Will happen the following error:


Code:
Couldn't obtain list of matching users (searching for: \\%\\%\\%\\%\\%\\%\\%\\%\)

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\%\\%\\%\\%\\%\\%\\%\\%\'' at line 3

SELECT user_id FROM phpbb_users WHERE username LIKE '\\%\\%\\%\\%\\%\\%\\%\\%\'

Line : 207
File : /web/htdocs/www.f-g.it/home/lugb/phpBB2/search.php


Due to Trim and strreplace functions in the following code:

Code:
$search_author = str_replace('*', '%', trim($search_author));

$sql = "SELECT user_id
FROM " . USERS_TABLE . "
WHERE username LIKE '" . str_replace("\'", "''", $search_author) . "'";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, "Couldn't obtain list of matching users (searching for: $search_author)", "", __LINE__, __FILE__, $sql);
}


Poklyezz says that this issue is due to the "/" passed after that the 26th character is truncated.

It seems to be not exploitable.[/b]


Last edited by Zeelock on Fri Feb 18, 2005 11:47 am; edited 1 time in total

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
Javascript
PostPosted: Fri Feb 18, 2005 10:25 am Reply with quote
Zeelock
Active user
Active user
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




There is also a possible XSS issue here:

http://www.site.com/phpBB/index.php/

Like this Phpbb will change the base dir for the template in the javascript URL parameter of many templates.

Code:
function preloadImages() {
if (document.images) {
over_profile = newImage(/*URL*/'templates/Charcoal2/images/profile_on.jpg');
over_faq = newImage(/*URL*/'templates/Charcoal2/images/faq_on.jpg');
over_search = newImage(/*URL*/'templates/Charcoal2/images/search_on.jpg');
over_memberlist = newImage(/*URL*/'templates/Charcoal2/images/memberlist_on.jpg');
over_usergroups = newImage(/*URL*/'templates/Charcoal2/images/usergroups_on.jpg');
over_register = newImage(/*URL*/'templates/Charcoal2/images/register_on.jpg');
over_pms = newImage(/*URL*/'templates/Charcoal2/images/pms_on.jpg');
over_login = newImage(/*URL*/'templates/Charcoal2/images/login_on.jpg');
preloadFlag = true;
}
}

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Fri Feb 18, 2005 4:28 pm Reply with quote
Tomanas
Active user
Active user
Joined: Jan 30, 2005
Posts: 29




it doesn't seem to be exploitable :-]
View user's profile Send private message
Magic Quotes
PostPosted: Fri Feb 18, 2005 6:20 pm Reply with quote
Zeelock
Active user
Active user
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Tomanas wrote:
it doesn't seem to be exploitable :-]


Yep It deals with the magic quotes and the backslash.


From the manual:

Quote:
When magic_quotes are on, all ' (single-quote), " (double quote), (backslash) and NUL's are escaped with a backslash automatically.

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Fri Feb 18, 2005 7:38 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




mmmmmmmmmmm i like more this http://www.phpbb.com/phpBB/profile.php?mode=viewprofile&u=\()\()\()\()\()\()\()\

private exploit not public for 1 month phpbb.com not like


http://www.phpbb.com/phpBB/profile.php?mode=viewprofile&u=\()\()\()\()\()\()\()\



/home/virtual/phpbb.com/phpBB/ OMG


private xpl not for security focus , securitytracker for 1 month
View user's profile Send private message Visit poster's website
PostPosted: Fri Feb 18, 2005 8:23 pm Reply with quote
damned
Regular user
Regular user
Joined: Feb 18, 2005
Posts: 8




what can i do with this


Tried obtaining data for a non-existent user

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\()\\()\\()\\()\\()\\()\' AND user_id <> -1' at line 3

SELECT * FROM phpbb_users WHERE username = '\\()\\()\\()\\()\\()\\()\' AND user_id <> -1

Line : 109
File : /home/site/public_html/phpBB2/includes/functions.php
View user's profile Send private message
PostPosted: Fri Feb 18, 2005 8:34 pm Reply with quote
Grullanetx
Beginner
Beginner
Joined: Feb 18, 2005
Posts: 2




hi all!

it seems that this is a form to reveal the path of some scripts (path on directory server)...maybe a "revelaed path" Bug in phpBB

But not yet it is possible to inject code..I mean, to execute SQL injection satisfactorily, isn't ?
View user's profile Send private message
PostPosted: Fri Feb 18, 2005 10:59 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




Grullanetx wrote:
hi all!

it seems that this is a form to reveal the path of some scripts (path on directory server)...maybe a "revelaed path" Bug in phpBB

But not yet it is possible to inject code..I mean, to execute SQL injection satisfactorily, isn't ?



yes men is possible inject code and other methods more but not is public Cool
View user's profile Send private message Visit poster's website
These Exploits
PostPosted: Mon Feb 21, 2005 8:53 am Reply with quote
Zeelock
Active user
Active user
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




This kind of stuff is good because it gives information about table prefixes.

In the errors you can acknowlegdge the full name of the table.

There is another issue here:

http://www.site.com/phpBB2/search.php?mode=searchuser

And searching: \\\\\\\\\\\\\\\'

You get:


Could not obtain search results

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\\\\\\\\\\\\\\\\\\\\\\\\' AND user_id <> -1 ORDER BY usern

SELECT username FROM phpbb_users WHERE username LIKE '\\\\\\\\\\\\\\\\\\\\\\\\\' AND user_id <> -1 ORDER BY username

Line : 446

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Mon Feb 21, 2005 1:34 pm Reply with quote
Tomanas
Active user
Active user
Joined: Jan 30, 2005
Posts: 29




yes it's true that you get the table prefix with this. BUT you can't do anything with it...sad...;-] where can we get private exploits? Very Happy
View user's profile Send private message
Unink ()
PostPosted: Wed Feb 23, 2005 8:51 am Reply with quote
Zeelock
Active user
Active user
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Just for deleting files,

Quote from Idefense:

Quote:
Remote exploitation of an input validation vulnerability in the phpBB
Group's phpBB2 bulletin board system allows attackers to unlink (delete)
arbitrary system files under the privileges of the web server.

phpBB is an open-source web-based bulletin board system written in PHP.
The vulnerability specifically exists due to a combination of several
flaws that allows a remote attacker to control the arguments in a call
to unlink().The first flaw occurs in the avatar gallery, where a user is
permitted to specify part of the directory name for the desired avatar.
Directory traversal modifies (ex: "/../") are not properly filtered out,
allowing a user to break out of the default avatar directory. This issue
is realized in lines 68-71 of usercp_avatar.php:

if (
file_exists(@phpbb_realpath($board_config['avatar_gallery_path']
. '/' . $avatar_filename)) && ($mode == 'editprofile') )
{
$return = ", user_avatar = '" . str_replace("/'", "''",
$avatar_filename) . "', user_avatar_type = " .
USER_AVATAR_GALLERY;
}

Avatar's are then composed with the following code excerpt found in line
90 of usercp_viewprofile.php:

$avatar_img = ( $board_config['allow_avatar_local'] ) ? '<img src="'

. $board_config['avatar_gallery_path'] . '/' .
$profiledata['user_avatar'] . '" alt="" border="0" />' : '';

The abused calls to unlink() are made when an avatar is deleted. There
is a guard around these functions requiring that the target avatar to
unlink exist in the avatar_path. This routine is also vulnerable to a
directory traversal attack. By issuing a large number of "/../"
directory traversal modifiers, an attacker is able to delete arbitrary
system files. The vulnerable segment of code shown here is from lines
473-478 of usercp_register.php:

if ( @file_exists(@phpbb_realpath('./' .
$board_config['avatar_path']
. '/' . $userdata['user_avatar'])) )
{
@unlink(@phpbb_realpath('./' . $board_config['avatar_path'] .
'/'
. $userdata['user_avatar']));
}

An attacker can exploit this vulnerability by modifying the
"avatarselect" return value from the gallery to point to the desired
file to delete. The choice must be submitted twice for the attack to be
successful.

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
Vulns in Phpbb 2.0.11
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.063 Seconds