 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 72
 Members: 0
 Total: 72
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Vulns in Phpbb 2.0.11 |
|
 Posted: Fri Feb 18, 2005 10:24 am |
 |
|
| Zeelock |
| Active user |
 |
|
| Joined: Jan 27, 2005 |
| Posts: 29 |
| Location: Where stars come out at night |
|
|
 |
|
 |
|
Possible Sql Injection (By Jtm297):
http://www.site.com/phpBB2/index.php/search.php/?search_author=\*\*\*\*\*\*\*\*\*\
Here Will happen the following error:
| Code: | Couldn't obtain list of matching users (searching for: \\%\\%\\%\\%\\%\\%\\%\\%\)
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\%\\%\\%\\%\\%\\%\\%\\%\'' at line 3
SELECT user_id FROM phpbb_users WHERE username LIKE '\\%\\%\\%\\%\\%\\%\\%\\%\'
Line : 207
File : /web/htdocs/www.f-g.it/home/lugb/phpBB2/search.php |
Due to Trim and strreplace functions in the following code:
| Code: | $search_author = str_replace('*', '%', trim($search_author));
$sql = "SELECT user_id
FROM " . USERS_TABLE . "
WHERE username LIKE '" . str_replace("\'", "''", $search_author) . "'";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, "Couldn't obtain list of matching users (searching for: $search_author)", "", __LINE__, __FILE__, $sql);
} |
Poklyezz says that this issue is due to the "/" passed after that the 26th character is truncated.
It seems to be not exploitable.[/b] |
|
Last edited by Zeelock on Fri Feb 18, 2005 11:47 am; edited 1 time in total
_________________
If it seems to be impossible, just step up your level! |
|
|
|
|
|
Javascript |
|
| Posted: Fri Feb 18, 2005 10:25 am |
|
|
| Zeelock |
| Active user |
|
|
| Joined: Jan 27, 2005 |
| Posts: 29 |
| Location: Where stars come out at night |
|
|
|
|
|
|
There is also a possible XSS issue here:
http://www.site.com/phpBB/index.php/
Like this Phpbb will change the base dir for the template in the javascript URL parameter of many templates.
| Code: | function preloadImages() {
if (document.images) {
over_profile = newImage(/*URL*/'templates/Charcoal2/images/profile_on.jpg');
over_faq = newImage(/*URL*/'templates/Charcoal2/images/faq_on.jpg');
over_search = newImage(/*URL*/'templates/Charcoal2/images/search_on.jpg');
over_memberlist = newImage(/*URL*/'templates/Charcoal2/images/memberlist_on.jpg');
over_usergroups = newImage(/*URL*/'templates/Charcoal2/images/usergroups_on.jpg');
over_register = newImage(/*URL*/'templates/Charcoal2/images/register_on.jpg');
over_pms = newImage(/*URL*/'templates/Charcoal2/images/pms_on.jpg');
over_login = newImage(/*URL*/'templates/Charcoal2/images/login_on.jpg');
preloadFlag = true;
}
} |
|
|
_________________
If it seems to be impossible, just step up your level! |
|
|
|
|
|
|
|
| Posted: Fri Feb 18, 2005 4:28 pm |
|
|
| Tomanas |
| Active user |
 |
|
| Joined: Jan 30, 2005 |
| Posts: 29 |
|
|
|
|
|
|
|
| it doesn't seem to be exploitable :-] |
|
|
|
|
|
Magic Quotes |
|
| Posted: Fri Feb 18, 2005 6:20 pm |
|
|
| Zeelock |
| Active user |
|
|
| Joined: Jan 27, 2005 |
| Posts: 29 |
| Location: Where stars come out at night |
|
|
|
|
|
|
| Tomanas wrote: | | it doesn't seem to be exploitable :-] |
Yep It deals with the magic quotes and the backslash.
From the manual:
| Quote: | | When magic_quotes are on, all ' (single-quote), " (double quote), (backslash) and NUL's are escaped with a backslash automatically. |
|
|
_________________
If it seems to be impossible, just step up your level! |
|
|
|
| Posted: Fri Feb 18, 2005 7:38 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
|
|
|
|
| Posted: Fri Feb 18, 2005 8:23 pm |
|
|
| damned |
| Regular user |
 |
|
| Joined: Feb 18, 2005 |
| Posts: 8 |
|
|
|
|
|
|
|
what can i do with this
Tried obtaining data for a non-existent user
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\()\\()\\()\\()\\()\\()\' AND user_id <> -1' at line 3
SELECT * FROM phpbb_users WHERE username = '\\()\\()\\()\\()\\()\\()\' AND user_id <> -1
Line : 109
File : /home/site/public_html/phpBB2/includes/functions.php |
|
|
|
|
| Posted: Fri Feb 18, 2005 8:34 pm |
|
|
| Grullanetx |
| Beginner |
|
|
| Joined: Feb 18, 2005 |
| Posts: 2 |
|
|
|
|
|
|
|
hi all!
it seems that this is a form to reveal the path of some scripts (path on directory server)...maybe a "revelaed path" Bug in phpBB
But not yet it is possible to inject code..I mean, to execute SQL injection satisfactorily, isn't ? |
|
|
|
|
| Posted: Fri Feb 18, 2005 10:59 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
| Grullanetx wrote: | hi all!
it seems that this is a form to reveal the path of some scripts (path on directory server)...maybe a "revelaed path" Bug in phpBB
But not yet it is possible to inject code..I mean, to execute SQL injection satisfactorily, isn't ? |
yes men is possible inject code and other methods more but not is public  |
|
|
|
|
|
These Exploits |
|
| Posted: Mon Feb 21, 2005 8:53 am |
|
|
| Zeelock |
| Active user |
|
|
| Joined: Jan 27, 2005 |
| Posts: 29 |
| Location: Where stars come out at night |
|
|
|
|
|
|
This kind of stuff is good because it gives information about table prefixes.
In the errors you can acknowlegdge the full name of the table.
There is another issue here:
http://www.site.com/phpBB2/search.php?mode=searchuser
And searching: \\\\\\\\\\\\\\\'
You get:
Could not obtain search results
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\\\\\\\\\\\\\\\\\\\\\\\\' AND user_id <> -1 ORDER BY usern
SELECT username FROM phpbb_users WHERE username LIKE '\\\\\\\\\\\\\\\\\\\\\\\\\' AND user_id <> -1 ORDER BY username
Line : 446 |
|
_________________
If it seems to be impossible, just step up your level! |
|
|
|
|
|
|
|
| Posted: Mon Feb 21, 2005 1:34 pm |
|
|
| Tomanas |
| Active user |
|
|
| Joined: Jan 30, 2005 |
| Posts: 29 |
|
|
|
|
|
|
|
yes it's true that you get the table prefix with this. BUT you can't do anything with it...sad...;-] where can we get private exploits?  |
|
|
|
|
|
Unink () |
|
| Posted: Wed Feb 23, 2005 8:51 am |
|
|
| Zeelock |
| Active user |
|
|
| Joined: Jan 27, 2005 |
| Posts: 29 |
| Location: Where stars come out at night |
|
|
|
|
|
|
Just for deleting files,
Quote from Idefense:
| Quote: | Remote exploitation of an input validation vulnerability in the phpBB
Group's phpBB2 bulletin board system allows attackers to unlink (delete)
arbitrary system files under the privileges of the web server.
phpBB is an open-source web-based bulletin board system written in PHP.
The vulnerability specifically exists due to a combination of several
flaws that allows a remote attacker to control the arguments in a call
to unlink().The first flaw occurs in the avatar gallery, where a user is
permitted to specify part of the directory name for the desired avatar.
Directory traversal modifies (ex: "/../") are not properly filtered out,
allowing a user to break out of the default avatar directory. This issue
is realized in lines 68-71 of usercp_avatar.php:
if (
file_exists(@phpbb_realpath($board_config['avatar_gallery_path']
. '/' . $avatar_filename)) && ($mode == 'editprofile') )
{
$return = ", user_avatar = '" . str_replace("/'", "''",
$avatar_filename) . "', user_avatar_type = " .
USER_AVATAR_GALLERY;
}
Avatar's are then composed with the following code excerpt found in line
90 of usercp_viewprofile.php:
$avatar_img = ( $board_config['allow_avatar_local'] ) ? '<img src="'
. $board_config['avatar_gallery_path'] . '/' .
$profiledata['user_avatar'] . '" alt="" border="0" />' : '';
The abused calls to unlink() are made when an avatar is deleted. There
is a guard around these functions requiring that the target avatar to
unlink exist in the avatar_path. This routine is also vulnerable to a
directory traversal attack. By issuing a large number of "/../"
directory traversal modifiers, an attacker is able to delete arbitrary
system files. The vulnerable segment of code shown here is from lines
473-478 of usercp_register.php:
if ( @file_exists(@phpbb_realpath('./' .
$board_config['avatar_path']
. '/' . $userdata['user_avatar'])) )
{
@unlink(@phpbb_realpath('./' . $board_config['avatar_path'] .
'/'
. $userdata['user_avatar']));
}
An attacker can exploit this vulnerability by modifying the
"avatarselect" return value from the gallery to point to the desired
file to delete. The choice must be submitted twice for the attack to be
successful. |
|
|
_________________
If it seems to be impossible, just step up your level! |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
