BugTraq
phpBB Code EXEC (v2.0.10) Nov 13 2004 03:05AM
jessica soules (admin howdark com)


_ _ ______ _

| | | | | _ \ | |

| |_| | _____ __ | | | |__ _ _ __| | __

| _ |/ _ \ \ /\ / / | | | / _` | '__| |/ /

| | | | (_) \ V V / | |/ / (_| | | | <

\_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_http://www.howdark.com

------------------------------------------------------------------------
----------------------------------------------------------

// Information

------------------------------------------------------------------------
----------------------------------------------------------

Author: How Dark

Date: October 1, 2004

URL: http://www.howdark.com

Affected Software: phpBB 2

Software Version: 2.0.* - 2.0.10

Software URL: http://www.phpbb.com

Attack: SQL Injection, allowing people to minipulate the query into pulling data

they should not previously be able too obtain. (Such as passwords)

Arbituary EXEC allows you, if you can get on to a new line, to execute

your own PHP, which can be fatal.

Description: Because of the way urldecode and magic quotes works,

it turns %2527 into %27, which is a single quote, and it

leaves it unslashed. This gives you a SQL Injection, leading

to arbituary PHP exec hole. But because you can't get outside

preg_replace because of magic quotes, this is very very useless.

------------------------------------------------------------------------
----------------------------------------------------------

xxx

------------------------------------------------------------------------
----------------------------------------------------------

// Description

------------------------------------------------------------------------
----------------------------------------------------------

Highlighting %2527 on any topic.

------------------------------------------------------------------------
----------------------------------------------------------

xxx

------------------------------------------------------------------------
----------------------------------------------------------

// URL

------------------------------------------------------------------------
----------------------------------------------------------

viewtopic.php?t=1&highlight=%2527

------------------------------------------------------------------------
----------------------------------------------------------

xxx

------------------------------------------------------------------------
----------------------------------------------------------

// Error

------------------------------------------------------------------------
----------------------------------------------------------

Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp code on line 1

Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>POST TEXT HERE<') in viewtopic.php on line 1109

------------------------------------------------------------------------
---------------------------------

xxx

;eof

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus