Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 29, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 626
Members: 0
Total: 626
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.17 and most likely below Goto page Previous  1, 2, 3, 4, 5  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Fri Aug 19, 2005 5:08 pm Reply with quote
Easyex
Regular user
Regular user
 
Joined: Aug 19, 2005
Posts: 6




It's not a major issue like PHP-Fusions was

PHP-Fusion was affected badly because you can use index.php and load a header of an admin function and it would automaticly load and execute the function

With PhpBB you can only do minior things like enter a header to the phpbb's forum logout, then post it and anyone who views the post would get logged out pointless stuff like that but to PhpBB it's an issue.
View user's profile Send private message
PostPosted: Fri Aug 19, 2005 5:34 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




you are both just mis-understanding each other here.
both of you are right. but as they say in my land : "one speaks of garden and other speaks of the hole in garden" Very Happy. see this all comes down to what browser does. i have studied this myself too long time ago. the result of putting [img]login.php?action=logout[/img] tags is same as you would "lure" the admin to login.php?action=logout - but img tags "lure" the browser to do it in a hidden way. browser does the request and expects a image but the code behind login.php?action=logout wont give a image but it does destroy the cookie, and effect is still there. its somewhat pointless example. but here is a question of balancing GET and POST in phpbb. there is no "your" code execution on server side. (if you make a fake image with php code in it, only way you could get that code executing on target is on chanse that if you let the "avatar" system of phpbb download the image and you manage to guess the name of image and target server parses image extensions as php, but heck what are odds to that ever happening ?? Laughing) shai-tan has misunderstood here something, hes stuff dont work as i explained. anyway stop flaming each other, this is childish, and wont get nobody nowhere.

this all gave me a interesting idea in using XSS, i'll make a small thread about it soon, stay tuned Smile

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Aug 19, 2005 6:04 pm Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




phpbb aready blocks direct php images though.
So anything like login.php?action=logout would not get parsed and would just dispay the link within the img tags.

like when people link to scripts that get the image
[img]http://somesite.com/script.php?select=animage.jpg[/img]
View user's profile Send private message Visit poster's website
PostPosted: Fri Aug 19, 2005 6:30 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




i made a small test and set my apache up so that it parses .PNG extensions as php.. so i could enter
[img]myserver/picture.PNG[/img] this bypasses phpbb. now what really is done is that picture.PNG sends HTTP/1.x 303 and Location: myserver/login.php?logout=true&sid=dang

and well it worked. Razz, i was logged out after viewing a thread.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Aug 19, 2005 6:36 pm Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




post it.
View user's profile Send private message Visit poster's website
PostPosted: Fri Aug 19, 2005 6:50 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




lunix wrote:
post it.


Waraxe wouldnt probably be too glad about it. and i wouldnt be able to delete my post afterwoods comfortably. so i PM-ed you it.
tell here if it worked. if it didnt try other browsers. i used firefox.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Aug 19, 2005 9:30 pm Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




yeah that is interesting, Looks like it worked on ie and ff for me.

Theoreticaly that would work on any forum and there is no possability of creating a patch. Shocked

im gonna investigate this a little. good find Very Happy
View user's profile Send private message Visit poster's website
PostPosted: Sat Aug 20, 2005 12:05 am Reply with quote
katz
Beginner
Beginner
 
Joined: Oct 09, 2004
Posts: 2




lunix wrote:
Theoreticaly that would work on any forum and there is no possability of creating a patch. Shocked

It would take php's GD module to confirm the content is actually a picture.
Not a hard thing to do but the harder part is making all the admins reconfigure their servers to use it Wink
View user's profile Send private message
PostPosted: Sat Aug 20, 2005 1:06 am Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




yes OR, signatures etc. are parsed so that for each image tag a request is made, if no picture is received (lenght 0), from the originating url (no redirects are followed) - discarded, otherwise put image into database and then replaceing the original image urls with a signature_image.php?id=33&user=blah and then a apropriate image is given from server side. but heh it requires much work, parsing and so with high probability many would implement it wrong and would create more security holes Laughing

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sat Aug 20, 2005 7:14 am Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




nice discussion over here.
first of all,no need to fight or flaming just because of small thing.

releasing poc for it,for those dont believe it. try it out

make yourself a folder .. like darkclaw said.
rename the folder to signature.jpg
this will trick bbcode that its an image file.

example http://sitewithcode/signature.jpg

inside that folder .. put this code ..
and rename it to index file.

Quote:
<?php
header("Location: http://exploit.host/phpBB/login.php?logout=true");
exit;
?>


this will make every visitor getting logout when they viewing the thread that
have image linked to this or maybe delete the posting using admin privileage once admin view it. Always better to PM admin to make sure its work .Wink
View user's profile Send private message Visit poster's website
PostPosted: Sat Aug 20, 2005 6:05 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




wow... long time no see .. we have a long long conversation here..

thx heintz for clear it up Laughing

anyway , i prefer for dissabling BBCode in the first i implement the forum ( ihave two forum running phpbb) coz i think it will bring many dissaster (proof it rait)
, ok if u said its bad n uncomfort, but anyway security always in the opposite with comfortness Laughing

dont know if waraxe are watching this topic *_^

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sat Aug 20, 2005 9:40 pm Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




so far this has worked on every forum and every browser i have tested it on.

There is also a couple of other interesting possabilities we are testing out.
View user's profile Send private message Visit poster's website
PostPosted: Sun Aug 21, 2005 2:47 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




yeah, no doubt about it , i think it will work in any forum that allow BBcode execution , specially with [img] and [url] (at least they made a manual change to it and some sanity to check it)
Wink

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Aug 21, 2005 4:18 am Reply with quote
Vipsta
Beginner
Beginner
 
Joined: Jan 12, 2005
Posts: 2




What about using the same vulnerability to make a user an administrator? Or atleast something more interesting then "Logout".
View user's profile Send private message Visit poster's website
PostPosted: Sun Aug 21, 2005 6:32 am Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




mm accesing script to add user as admin in /admin/ folder would ask admin to re-authenticate him/herself

hard to access /admin/ folder now.
but you can delete specific posting then,
whenever an admin view the thread.

hehe maybe someone out there know how to bypass it .
View user's profile Send private message Visit poster's website
phpBB 2.0.17 and most likely below
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 5  
Goto page Previous  1, 2, 3, 4, 5  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.151 Seconds