| 
  
    | 
	|  | Menu |  |  
     
     | 
      
       | 
        
         | 
          
           | 
						|  |  |  Home |  |  |  |  |  |  |  |  Discussions |  |  |  |  |  |  |  |  Tools |  |  |  |  |  |  |  |  Affiliates |  |  |  |  |  |  |  |  Content |  |  |  |  |  |  |  |  Info |  |  |  |  |  |  |  |  |  |  
  
    | 
	|  | User Info |  |  
     
     | 
      
       | 
        
         | 
          
           |  Membership: 
  Latest: MichaelSnaRe 
  New Today: 0 
  New Yesterday: 0 
  Overall: 9144 
 
  People Online: 
  Visitors: 171 
  Members: 0 
  Total: 171 
 |  |  |  |  |  
  
    | 
	|  | Full disclosure |  |  |  | 
  
    | 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | 2 new  Vulnerabilities 2.0.17 |  |  
	| 
	
		|  Posted: Mon Oct 31, 2005 8:53 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| WaterBird |  | Active user |  |  
  |  |  |  | Joined: May 16, 2005 |  | Posts: 37 |  |  |  |  
 
 |  |  
			|  |  |  
 
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Mon Oct 31, 2005 11:21 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| chapinhack |  | Beginner |  |  
  |  |  |  | Joined: Nov 01, 2005 |  | Posts: 1 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| how to operate this bug?  some examples? |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Tue Nov 01, 2005 1:00 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| shai-tan |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 22, 2005 |  | Posts: 477 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Read it properly chapinhack 
 
 
  	  | Quote: |  	  | phpBB is prone to multiple unspecified vulnerabilities. Some of these issues result from insufficient sanitization of user-supplied data, however, the causes and impacts of other issues were not specified. 
 phpBB 2.0.17 and prior versions are affected by these issues.
 
 Due to a lack of information, further details cannot be provided at the moment. It is possible that some of these issues were reported prior to the release of this record. This BID will be updated when more information becomes available.
 | 
  |  |  
		| 
		
			| _________________
 Shai-tan
 
 ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
 |  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Tue Nov 01, 2005 6:34 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| g30rg3_x |  | Active user |  |  
  |  |  |  | Joined: Jan 23, 2005 |  | Posts: 31 |  | Location: OutSide Of The PE |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| i think most of this "fixes" just make for improvemmed... 
 as now i just see some and they are just for performarce, i didn't see at all because it is a large list...
 
 but if i found one, i would make a full description...
 
 grettings from mexico
 |  |  
		| 
		
			| 
 Last edited by g30rg3_x on Tue Nov 01, 2005 3:45 pm; edited 1 time in total
 |  |  |  
	|  |  
	| 
	
		|  Posted: Tue Nov 01, 2005 7:03 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| shai-tan |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 22, 2005 |  | Posts: 477 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Not just that but there was a way to by pass the register globals disabling in the phpBB script. |  |  
		| 
		
			| _________________
 Shai-tan
 
 ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
 |  |  |  
	|  |  
	| 
	
		|  Posted: Tue Nov 01, 2005 3:43 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| g30rg3_x |  | Active user |  |  
  |  |  |  | Joined: Jan 23, 2005 |  | Posts: 31 |  | Location: OutSide Of The PE |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| yeah but is still hard for bypass register_globals 
 but we can make a just little code for PoC...
 
 grettings shai-tan
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Tue Nov 01, 2005 4:49 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| shai-tan |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 22, 2005 |  | Posts: 477 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Not as hard as you might think. 
 
  	  | Quote: |  	  | Bypass Vulnerabilities 
 ----------------------
 
 
 
 [1] In PHP5 <= 5.0.5 it is possible to register f.e. the global
 
 variable $foobar by supplying a GET/POST/COOKIE variable
 
 with the name 'foobar' but also by supplying a GPC variable
 
 called 'GLOBALS[foobar]'. If the variable is supplied in
 
 that way, the code above will not try to unset $foobar, but
 
 $GLOBALS, which completely bypasses the protection.
 
 
 
 [2] When the session extension is not started by a call to
 
 session_start(), PHP does not know about the variables
 
 $_SESSION or $HTTP_SESSION_VARS, which means, it is possible
 
 to fill them with any value if register_globals is turned on.
 
 Combined with the fact (that was even documented in the phpBB
 
 code), that array_merge() will fail in PHP5, when at least
 
 one of the parameters is not an array, it is possible for an
 
 attacker to simply set HTTP_SESSION_VARS to a string and let
 
 the complete protection fail, because $input ends up empty.
 
 
 
 [3] When register_long_array is turned off PHP does not know
 
 anymore about all the HTTP_* variables. This means they can
 
 be filled with anything that is completely unrelated to the
 
 existing global variables. It is obvious that the protection
 
 cannot work, when this configuration is choosen.
 
 
 
 Additonally to the 3 possible ways to bypass the globals
 
 deregistration code, several not properly initalised variables
 
 were disclosed to the vendor, that can even lead to remote code
 
 execution.
 | 
 
 And once you have done so this is the options you can look at.
 
 
  	  | Quote: |  	  | Not properly initialised variables
 
 ----------------------------------
 
 
 
 [1] Within usercp_register.php the variable 'error_msg' is not
 
 properly initialised and can therefore be used to inject
 
 arbitrary HTML code
 
 
 
 [2] Within login.php the variable 'forward_page' is not properly
 
 initialised and can be used to inject arbitrary HTML code
 
 
 
 [3] Within search.php the variable 'list_cat' is not properly
 
 initialised and can be used to inject arbitrary HTML
 
 
 
 [4] Within usercp_register.php the variable 'signature_bbcode_uid'
 
 is not properly initialised and can be used for SQL injection
 
 of arbitrary 'field=xxx' statements into queries operating
 
 on the user table, when magic_quotes_gpc is turned off.
 
 
 
 [5] The same variable [4] can be used to inject f.e. the 'e'
 
 modifier into the first parameter of a preg_replace()
 
 statement, which means, that the second parameter is
 
 evaluated as PHP code. Because the second parameter is
 
 entirely filled with the user supplied signature, it is
 
 possible to execute any PHP code. This can be exploited,
 
 no matter if magic_quotes_gpc is turned on or off, just
 
 2 different code paths need to be triggered.
 | 
 
 Glad to see you again g30rg3_x.
 |  |  
		| 
		
			| _________________
 Shai-tan
 
 ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
 |  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Tue Nov 01, 2005 7:49 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Tomanas |  | Active user |  |  
  |  |  |  | Joined: Jan 30, 2005 |  | Posts: 29 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| ok, i read whole document and i still don't know how to exploit that bug  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Wed Nov 02, 2005 1:15 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| g30rg3_x |  | Active user |  |  
  |  |  |  | Joined: Jan 23, 2005 |  | Posts: 31 |  | Location: OutSide Of The PE |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|   
 Thank you shai-tan...
 with this i think i can make a little PoC
 
 grettings
 |  |  
		| 
		
			| 
 Last edited by g30rg3_x on Thu Nov 03, 2005 2:50 pm; edited 1 time in total
 |  |  |  
	|  |  
	| 
	
		|  Posted: Wed Nov 02, 2005 2:17 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| shai-tan |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 22, 2005 |  | Posts: 477 |  |  |  |  
 
 |  |  
			|  |  |  
 
 |  |  
		| 
		
			| _________________
 Shai-tan
 
 ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
 |  |  |  
	|  |  
	| 
	
		|  Posted: Wed Nov 02, 2005 10:44 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| WaterBird |  | Active user |  |  
  |  |  |  | Joined: May 16, 2005 |  | Posts: 37 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| as always waiting for an exploit  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Nov 03, 2005 12:48 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| shai-tan |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 22, 2005 |  | Posts: 477 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Best and most satisfying is learning how to make them your-self. And then making them   
 
 Shai-tan
 |  |  
		| 
		
			| _________________
 Shai-tan
 
 ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
 |  |  |  
	|  |  
	| 
	
		|  Posted: Thu Nov 03, 2005 2:48 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| WaterBird |  | Active user |  |  
  |  |  |  | Joined: May 16, 2005 |  | Posts: 37 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | shai-tan wrote: |  	  | Best and most satisfying is learning how to make them your-self. And then making them   
 
 Shai-tan
 | 
 
 
 Don't have mutch time to do that
  Work etc :} Maybe some day :] |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Nov 03, 2005 3:07 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| shai-tan |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 22, 2005 |  | Posts: 477 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| lolz it seems time is everones reason! lolz |  |  
		| 
		
			| _________________
 Shai-tan
 
 ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
 |  |  |  
	|  |  
	| 
	
		|  Posted: Thu Nov 03, 2005 2:49 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| g30rg3_x |  | Active user |  |  
  |  |  |  | Joined: Jan 23, 2005 |  | Posts: 31 |  | Location: OutSide Of The PE |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| like everybody i dont have really much time... 
 but i'm researching for exploit or well know in IT Security as Proof-Of-Concept, obviously i dont have enought time to do that rapidly...
 so, like shai-tan says its very satisfying learning how to make by your-seld, than just wait for a new exploit/PoC and just used for be just another "deface kiddie or script kiddie"...
 
 grettings from mexico shai-tan && waterbird
 |  |  
		|  |  |  
	|  |  
	| www.waraxe.us Forum Index -> PhpBB 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 2
			Goto page 1, 2Next
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |  |