Waraxe IT Security Portal
Login or Register
November 24, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 64
Members: 0
Total: 64
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.17 and most likely below Goto page Previous1, 2, 3, 4, 5Next
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Fri Aug 19, 2005 5:08 pm Reply with quote
Easyex
Regular user
Regular user
Joined: Aug 19, 2005
Posts: 6




It's not a major issue like PHP-Fusions was

PHP-Fusion was affected badly because you can use index.php and load a header of an admin function and it would automaticly load and execute the function

With PhpBB you can only do minior things like enter a header to the phpbb's forum logout, then post it and anyone who views the post would get logged out pointless stuff like that but to PhpBB it's an issue.
View user's profile Send private message
PostPosted: Fri Aug 19, 2005 5:34 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




you are both just mis-understanding each other here.
both of you are right. but as they say in my land : "one speaks of garden and other speaks of the hole in garden" Very Happy. see this all comes down to what browser does. i have studied this myself too long time ago. the result of putting [img]login.php?action=logout[/img] tags is same as you would "lure" the admin to login.php?action=logout - but img tags "lure" the browser to do it in a hidden way. browser does the request and expects a image but the code behind login.php?action=logout wont give a image but it does destroy the cookie, and effect is still there. its somewhat pointless example. but here is a question of balancing GET and POST in phpbb. there is no "your" code execution on server side. (if you make a fake image with php code in it, only way you could get that code executing on target is on chanse that if you let the "avatar" system of phpbb download the image and you manage to guess the name of image and target server parses image extensions as php, but heck what are odds to that ever happening ?? Laughing) shai-tan has misunderstood here something, hes stuff dont work as i explained. anyway stop flaming each other, this is childish, and wont get nobody nowhere.

this all gave me a interesting idea in using XSS, i'll make a small thread about it soon, stay tuned Smile

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Aug 19, 2005 6:04 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




phpbb aready blocks direct php images though.
So anything like login.php?action=logout would not get parsed and would just dispay the link within the img tags.

like when people link to scripts that get the image
[img]http://somesite.com/script.php?select=animage.jpg[/img]
View user's profile Send private message Visit poster's website
PostPosted: Fri Aug 19, 2005 6:30 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




i made a small test and set my apache up so that it parses .PNG extensions as php.. so i could enter
[img]myserver/picture.PNG[/img] this bypasses phpbb. now what really is done is that picture.PNG sends HTTP/1.x 303 and Location: myserver/login.php?logout=true&sid=dang

and well it worked. Razz, i was logged out after viewing a thread.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Aug 19, 2005 6:36 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




post it.
View user's profile Send private message Visit poster's website
PostPosted: Fri Aug 19, 2005 6:50 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




lunix wrote:
post it.


Waraxe wouldnt probably be too glad about it. and i wouldnt be able to delete my post afterwoods comfortably. so i PM-ed you it.
tell here if it worked. if it didnt try other browsers. i used firefox.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Aug 19, 2005 9:30 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




yeah that is interesting, Looks like it worked on ie and ff for me.

Theoreticaly that would work on any forum and there is no possability of creating a patch. Shocked

im gonna investigate this a little. good find Very Happy
View user's profile Send private message Visit poster's website
PostPosted: Sat Aug 20, 2005 12:05 am Reply with quote
katz
Beginner
Beginner
Joined: Oct 09, 2004
Posts: 2




lunix wrote:
Theoreticaly that would work on any forum and there is no possability of creating a patch. Shocked

It would take php's GD module to confirm the content is actually a picture.
Not a hard thing to do but the harder part is making all the admins reconfigure their servers to use it Wink
View user's profile Send private message
PostPosted: Sat Aug 20, 2005 1:06 am Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




yes OR, signatures etc. are parsed so that for each image tag a request is made, if no picture is received (lenght 0), from the originating url (no redirects are followed) - discarded, otherwise put image into database and then replaceing the original image urls with a signature_image.php?id=33&user=blah and then a apropriate image is given from server side. but heh it requires much work, parsing and so with high probability many would implement it wrong and would create more security holes Laughing

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sat Aug 20, 2005 7:14 am Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




nice discussion over here.
first of all,no need to fight or flaming just because of small thing.

releasing poc for it,for those dont believe it. try it out

make yourself a folder .. like darkclaw said.
rename the folder to signature.jpg
this will trick bbcode that its an image file.

example http://sitewithcode/signature.jpg

inside that folder .. put this code ..
and rename it to index file.

Quote:
<?php
header("Location: http://exploit.host/phpBB/login.php?logout=true");
exit;
?>


this will make every visitor getting logout when they viewing the thread that
have image linked to this or maybe delete the posting using admin privileage once admin view it. Always better to PM admin to make sure its work .Wink
View user's profile Send private message Visit poster's website
PostPosted: Sat Aug 20, 2005 6:05 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




wow... long time no see .. we have a long long conversation here..

thx heintz for clear it up Laughing

anyway , i prefer for dissabling BBCode in the first i implement the forum ( ihave two forum running phpbb) coz i think it will bring many dissaster (proof it rait)
, ok if u said its bad n uncomfort, but anyway security always in the opposite with comfortness Laughing

dont know if waraxe are watching this topic *_^

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sat Aug 20, 2005 9:40 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




so far this has worked on every forum and every browser i have tested it on.

There is also a couple of other interesting possabilities we are testing out.
View user's profile Send private message Visit poster's website
PostPosted: Sun Aug 21, 2005 2:47 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




yeah, no doubt about it , i think it will work in any forum that allow BBcode execution , specially with [img] and [url] (at least they made a manual change to it and some sanity to check it)
Wink

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Aug 21, 2005 4:18 am Reply with quote
Vipsta
Beginner
Beginner
Joined: Jan 12, 2005
Posts: 2




What about using the same vulnerability to make a user an administrator? Or atleast something more interesting then "Logout".
View user's profile Send private message Visit poster's website
PostPosted: Sun Aug 21, 2005 6:32 am Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




mm accesing script to add user as admin in /admin/ folder would ask admin to re-authenticate him/herself

hard to access /admin/ folder now.
but you can delete specific posting then,
whenever an admin view the thread.

hehe maybe someone out there know how to bypass it .
View user's profile Send private message Visit poster's website
phpBB 2.0.17 and most likely below
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 2 of 5
Goto page Previous1, 2, 3, 4, 5Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.044 Seconds