 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 Posted: Fri Aug 19, 2005 5:08 pm |
 |
|
| Easyex |
| Regular user |
 |
|
| Joined: Aug 19, 2005 |
| Posts: 6 |
|
|
|
 |
|
 |
|
It's not a major issue like PHP-Fusions was
PHP-Fusion was affected badly because you can use index.php and load a header of an admin function and it would automaticly load and execute the function
With PhpBB you can only do minior things like enter a header to the phpbb's forum logout, then post it and anyone who views the post would get logged out pointless stuff like that but to PhpBB it's an issue. |
|
|
|
|
|
 |
|
 |
| Posted: Fri Aug 19, 2005 5:34 pm |
|
|
| Heintz |
| Valuable expert |
 |
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
you are both just mis-understanding each other here.
both of you are right. but as they say in my land : "one speaks of garden and other speaks of the hole in garden"  . see this all comes down to what browser does. i have studied this myself too long time ago. the result of putting [img]login.php?action=logout[/img] tags is same as you would "lure" the admin to login.php?action=logout - but img tags "lure" the browser to do it in a hidden way. browser does the request and expects a image but the code behind login.php?action=logout wont give a image but it does destroy the cookie, and effect is still there. its somewhat pointless example. but here is a question of balancing GET and POST in phpbb. there is no "your" code execution on server side. (if you make a fake image with php code in it, only way you could get that code executing on target is on chanse that if you let the "avatar" system of phpbb download the image and you manage to guess the name of image and target server parses image extensions as php, but heck what are odds to that ever happening ??  ) shai-tan has misunderstood here something, hes stuff dont work as i explained. anyway stop flaming each other, this is childish, and wont get nobody nowhere.
this all gave me a interesting idea in using XSS, i'll make a small thread about it soon, stay tuned  |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
| Posted: Fri Aug 19, 2005 6:04 pm |
|
|
| lunix |
| Regular user |
 |
|
| Joined: Aug 17, 2005 |
| Posts: 16 |
|
|
|
|
|
|
|
phpbb aready blocks direct php images though.
So anything like login.php?action=logout would not get parsed and would just dispay the link within the img tags.
like when people link to scripts that get the image
[img]http://somesite.com/script.php?select=animage.jpg[/img] |
|
|
|
|
| Posted: Fri Aug 19, 2005 6:30 pm |
|
|
| Heintz |
| Valuable expert |
|
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
i made a small test and set my apache up so that it parses .PNG extensions as php.. so i could enter
[img]myserver/picture.PNG[/img] this bypasses phpbb. now what really is done is that picture.PNG sends HTTP/1.x 303 and Location: myserver/login.php?logout=true&sid=dang
and well it worked.  , i was logged out after viewing a thread. |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
| Posted: Fri Aug 19, 2005 6:36 pm |
|
|
| lunix |
| Regular user |
|
|
| Joined: Aug 17, 2005 |
| Posts: 16 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Fri Aug 19, 2005 6:50 pm |
|
|
| Heintz |
| Valuable expert |
|
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
Waraxe wouldnt probably be too glad about it. and i wouldnt be able to delete my post afterwoods comfortably. so i PM-ed you it.
tell here if it worked. if it didnt try other browsers. i used firefox. |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
| Posted: Fri Aug 19, 2005 9:30 pm |
|
|
| lunix |
| Regular user |
|
|
| Joined: Aug 17, 2005 |
| Posts: 16 |
|
|
|
|
|
|
|
yeah that is interesting, Looks like it worked on ie and ff for me.
Theoreticaly that would work on any forum and there is no possability of creating a patch. 
im gonna investigate this a little. good find |
|
|
|
|
| Posted: Sat Aug 20, 2005 12:05 am |
|
|
| katz |
| Beginner |
|
|
| Joined: Oct 09, 2004 |
| Posts: 2 |
|
|
|
|
|
|
|
| lunix wrote: | | Theoreticaly that would work on any forum and there is no possability of creating a patch. |
It would take php's GD module to confirm the content is actually a picture.
Not a hard thing to do but the harder part is making all the admins reconfigure their servers to use it  |
|
|
|
|
|
|
|
|
| Posted: Sat Aug 20, 2005 1:06 am |
|
|
| Heintz |
| Valuable expert |
|
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
| yes OR, signatures etc. are parsed so that for each image tag a request is made, if no picture is received (lenght 0), from the originating url (no redirects are followed) - discarded, otherwise put image into database and then replaceing the original image urls with a signature_image.php?id=33&user=blah and then a apropriate image is given from server side. but heh it requires much work, parsing and so with high probability many would implement it wrong and would create more security holes |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
| Posted: Sat Aug 20, 2005 7:14 am |
|
|
| subzero |
| Valuable expert |
 |
|
| Joined: Mar 16, 2005 |
| Posts: 42 |
|
|
|
|
|
|
|
nice discussion over here.
first of all,no need to fight or flaming just because of small thing.
releasing poc for it,for those dont believe it. try it out
make yourself a folder .. like darkclaw said.
rename the folder to signature.jpg
this will trick bbcode that its an image file.
example http://sitewithcode/signature.jpg
inside that folder .. put this code ..
and rename it to index file.
this will make every visitor getting logout when they viewing the thread that
have image linked to this or maybe delete the posting using admin privileage once admin view it. Always better to PM admin to make sure its work . |
|
|
|
|
|
|
|
|
| Posted: Sat Aug 20, 2005 6:05 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
wow... long time no see .. we have a long long conversation here..
thx heintz for clear it up
anyway , i prefer for dissabling BBCode in the first i implement the forum ( ihave two forum running phpbb) coz i think it will bring many dissaster (proof it rait)
, ok if u said its bad n uncomfort, but anyway security always in the opposite with comfortness
dont know if waraxe are watching this topic *_^ |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sat Aug 20, 2005 9:40 pm |
|
|
| lunix |
| Regular user |
|
|
| Joined: Aug 17, 2005 |
| Posts: 16 |
|
|
|
|
|
|
|
so far this has worked on every forum and every browser i have tested it on.
There is also a couple of other interesting possabilities we are testing out. |
|
|
|
|
| Posted: Sun Aug 21, 2005 2:47 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
yeah, no doubt about it , i think it will work in any forum that allow BBcode execution , specially with [img] and [url] (at least they made a manual change to it and some sanity to check it)
|
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sun Aug 21, 2005 4:18 am |
|
|
| Vipsta |
| Beginner |
|
|
| Joined: Jan 12, 2005 |
| Posts: 2 |
|
|
|
|
|
|
|
| What about using the same vulnerability to make a user an administrator? Or atleast something more interesting then "Logout". |
|
|
|
|
| Posted: Sun Aug 21, 2005 6:32 am |
|
|
| subzero |
| Valuable expert |
|
|
| Joined: Mar 16, 2005 |
| Posts: 42 |
|
|
|
|
|
|
|
mm accesing script to add user as admin in /admin/ folder would ask admin to re-authenticate him/herself
hard to access /admin/ folder now.
but you can delete specific posting then,
whenever an admin view the thread.
hehe maybe someone out there know how to bypass it . |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 5
Goto page Previous1, 2, 3, 4, 5Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 161
Members: 0
Total: 161
