SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Generic)  >  phpBB Vendors:  phpBB Group
phpBB Bulletin Board bb_profile.php Bug Lets Remote Users Obtain Administrative Access to the Bulletin Board
Date:  Aug 8 2001 23:21 (UTC/GMT)
Impact:  User access via network
Exploit Included:  Yes  
Version(s): 1.4.1, possibly earlier versions
Description:  Another input validation vulnerability has been reported in phpBB bulletin board. Remote users can exploit this bug to gain administrative access to the board.

The vulnerability is reportedly the same type of problem as was recently reported with the prefs.php module. The bug reportedly resides in the bb_profile.php module.

A remote but registered user can open bb-profile and modify the HTML form action tag and the 'viewemail' checkbox variable, changing it to a textfield with contents "1',
user_level='4". By submitting this modified form, the remote user can gain administrative access on the bulletin board.
Impact:  A remote user that is a registered user on the bulletin board can obtain administrator access on the bulletin board.
Solution:  No vendor solution was available at the time of this entry. The author of the report has provided the following fix:

add "$viewemail = (ereg("^[0-1]+$", $viewemail))
?
$viewemail : '0';" before the mysql update procedure
Vendor URL:  www.phpbb.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  "David Danier" <golk@gmx.net>
Message History:   None.

 Source Message Contents
Date:  Wed, 08 Aug 2001 18:35:37 -0400
From:  "David Danier" <golk@gmx.net>
Subject:  phpbb 1.4.0/1.4.1 second big bug, linke the prefs.php bug!

 


you know that security big in phpBB with the prefs.php?
fixed with version 1.4.1 i think ;)
BUT!: the same(nearly) bug is within bb_profile.php!!!

description:
open bb_profile as a registered member in your browser --> save it -->
open
it in your editor(notepad) --> change the form action to the right
adress --> change the checkbox "viewemail" to a textfield (type="text")
-->
open the file in your browser --> type that in the viewemail textfield:
1',
user_level='4 --> submit the form --> you are a admin!!

simple but it works!
to fix this bug simply add "$viewemail = (ereg("^[0-1]+$", $viewemail))
 
$viewemail : '0';" before the mysql update procedure

(tested it on 2 1.4.1 boards, works on both)


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC