SecurityTracker.com Archives - phpBB Bulletin Board 'Gender Mod' Profile Modification Input Validation Flaw Lets Remote Authenticated Users Gain Administrative Privileges on the Bulletin Board

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Application (Forum/Board/Portal) > phpBB

Vendors: phpBB Group

phpBB Bulletin Board 'Gender Mod' Profile Modification Input Validation Flaw Lets Remote Authenticated Users Gain Administrative Privileges on the Bulletin Board

SecurityTracker Alert ID: 1004869

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jul 28 2002

Impact: User access via network

Exploit Included: Yes

Version(s): 2.x; 1.1.3

Description: A vulnerability was reported in the phpBB bulletin board software. When used with the 'Gender Mod' modification, a remote authenticated user can gain administrative privileges on the forum.

It is reported that Gender Mod contains an input validation flaw that allows remote authenticated users to inject SQL fields into the UPDATE sql command. A remote user can assign the value 'user_level = 1' to gain administrator privileges on the bulletin board.

The following demonstration exploit steps are provided:

1. Save the User Profile page into your disk to modify it offline.

2. Add the correct full post action address (http://forum.victim.com/...):
<FORM action=http://forum.victim.com/profile.php?sid=<current_session_id> method=post encType=multipart/form-data>

3. Modify the HTML Form so that the input field "gender" has value like:
<input type=text name=gender value="0, user_level = 1 ">

4. Load this page in the same browser window where the cookie is still available.

Then, hit 'Submit' to change the user profile.

The vendor has reportedly been notified.

Impact: A remote authenticated user can gain administrative access on the bulletin board.

Solution: No solution was available at the time of this entry.

The author of the report has provided an unofficial patch (available in the Source Message).

Vendor URL: www.phpbb.com/mods/downloads/index.php?t=sub_pages&cat=6 (Links to External Site)

Cause: Access control error, Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: langtuhaohoa caothuvolam <trungonly@yahoo.com>

Message History: None.

Source Message Contents

Date: 27 Jul 2002 14:16:06 -0000
From: langtuhaohoa caothuvolam <trungonly@yahoo.com>
Subject: phpBB/gender mod allows get admin privilege, exploit/patch

 



######################################################################### 
## Annoucement:  
## Sua loi thay doi quyen user trong phpbb2.x
## In phpBB with the official Gender Mod, this vuln allows a normal user
## set her/himself to become a forum administrator.
##
## Nguoi viet/Author: PTTrung
## http://hackervn.net (caothuvolam) http://viethacker.net (langtuhaohoa)
## trungonly@yahoo.com
##
## Description:
## Gender Mod is a commonly used modification in official phpBB releases.
## Unchecked posted values can add some SQL fields into the UPDATE sql 
command. 
## This affects in the newest version 1.1.3.
## If you assign the value: 'user_level = 1', you will have the 
ADMINISTRATOR 
## PRIVILEGE in forum.
##
## Exploit:
## 1. Save the User Profile page into your disk to modify it offline.
## 2. Add the correct full post action address 
(http://forum.victim.com/...):
##   <FORM action=http://forum.victim.com/profile.php?
sid=<current_session_id> method=post 
##      encType=multipart/form-data>
## 3. Modify the HTML Form so that the input field "gender" has value like:
##   <input type=text name=gender value="0, user_level = 1 ">
## 4. Load this page in the same browser window where the cookie is still 
available. 
## Take care all your works to hide the tracking of your hacking and 
finally hit Submit 
## to change user profile. You've done.
##
## Patch:
## File To Patch: 
## forumroot/includes/usercp_register.php
##
## Note.
## The phpBB team has also been emailed about this problem.
## 
######################################################################### 

# Patch
 
#-----[ OPEN ]------------------------------------------ 
# 
    forumroot/includes/usercp_register.php

# 
#-----[ FIND ]------------------------------------------ 
# 

	$gender = ( isset($HTTP_POST_VARS['gender']) ) ? $HTTP_POST_VARS
['gender'] : 0;

# 
#-----[ REPLACE AS ]------------------------------------ 
# 

	$gender = ( isset($HTTP_POST_VARS['gender']) ) ? intval
($HTTP_POST_VARS['gender']) : 0;

# 
#-----[ SAVE/CLOSE/UPLOAD THIS FILE ]------------------- 
# 
# EoP

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC