Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
September 23, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 252
Members: 0
Total: 252
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> Vulns in Phpbb 2.0.11
Post new topic  Reply to topic View previous topic :: View next topic 
Vulns in Phpbb 2.0.11
PostPosted: Fri Feb 18, 2005 10:24 am Reply with quote
Zeelock
Active user
Active user
 
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Possible Sql Injection (By Jtm297):

http://www.site.com/phpBB2/index.php/search.php/?search_author=\*\*\*\*\*\*\*\*\*\

Here Will happen the following error:


Code:
Couldn't obtain list of matching users (searching for: \\%\\%\\%\\%\\%\\%\\%\\%\)

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\%\\%\\%\\%\\%\\%\\%\\%\'' at line 3

SELECT user_id FROM phpbb_users WHERE username LIKE '\\%\\%\\%\\%\\%\\%\\%\\%\'

Line : 207
File : /web/htdocs/www.f-g.it/home/lugb/phpBB2/search.php


Due to Trim and strreplace functions in the following code:

Code:
$search_author = str_replace('*', '%', trim($search_author));

$sql = "SELECT user_id
FROM " . USERS_TABLE . "
WHERE username LIKE '" . str_replace("\'", "''", $search_author) . "'";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, "Couldn't obtain list of matching users (searching for: $search_author)", "", __LINE__, __FILE__, $sql);
}


Poklyezz says that this issue is due to the "/" passed after that the 26th character is truncated.

It seems to be not exploitable.[/b]


Last edited by Zeelock on Fri Feb 18, 2005 11:47 am; edited 1 time in total

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
Javascript
PostPosted: Fri Feb 18, 2005 10:25 am Reply with quote
Zeelock
Active user
Active user
 
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




There is also a possible XSS issue here:

http://www.site.com/phpBB/index.php/

Like this Phpbb will change the base dir for the template in the javascript URL parameter of many templates.

Code:
function preloadImages() {
   if (document.images) {
      over_profile = newImage(/*URL*/'templates/Charcoal2/images/profile_on.jpg');
      over_faq = newImage(/*URL*/'templates/Charcoal2/images/faq_on.jpg');
      over_search = newImage(/*URL*/'templates/Charcoal2/images/search_on.jpg');
      over_memberlist = newImage(/*URL*/'templates/Charcoal2/images/memberlist_on.jpg');
      over_usergroups = newImage(/*URL*/'templates/Charcoal2/images/usergroups_on.jpg');
      over_register = newImage(/*URL*/'templates/Charcoal2/images/register_on.jpg');
      over_pms = newImage(/*URL*/'templates/Charcoal2/images/pms_on.jpg');
      over_login = newImage(/*URL*/'templates/Charcoal2/images/login_on.jpg');
      preloadFlag = true;
   }
}

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Fri Feb 18, 2005 4:28 pm Reply with quote
Tomanas
Active user
Active user
 
Joined: Jan 30, 2005
Posts: 29




it doesn't seem to be exploitable :-]
View user's profile Send private message
Magic Quotes
PostPosted: Fri Feb 18, 2005 6:20 pm Reply with quote
Zeelock
Active user
Active user
 
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Tomanas wrote:
it doesn't seem to be exploitable :-]


Yep It deals with the magic quotes and the backslash.


From the manual:

Quote:
When magic_quotes are on, all ' (single-quote), " (double quote), (backslash) and NUL's are escaped with a backslash automatically.

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Fri Feb 18, 2005 7:38 pm Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




mmmmmmmmmmm i like more this http://www.phpbb.com/phpBB/profile.php?mode=viewprofile&u=\()\()\()\()\()\()\()\

private exploit not public for 1 month phpbb.com not like


http://www.phpbb.com/phpBB/profile.php?mode=viewprofile&u=\()\()\()\()\()\()\()\



/home/virtual/phpbb.com/phpBB/ OMG


private xpl not for security focus , securitytracker for 1 month
View user's profile Send private message Visit poster's website
PostPosted: Fri Feb 18, 2005 8:23 pm Reply with quote
damned
Regular user
Regular user
 
Joined: Feb 18, 2005
Posts: 8




what can i do with this


Tried obtaining data for a non-existent user

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\()\\()\\()\\()\\()\\()\' AND user_id <> -1' at line 3

SELECT * FROM phpbb_users WHERE username = '\\()\\()\\()\\()\\()\\()\' AND user_id <> -1

Line : 109
File : /home/site/public_html/phpBB2/includes/functions.php
View user's profile Send private message
PostPosted: Fri Feb 18, 2005 8:34 pm Reply with quote
Grullanetx
Beginner
Beginner
 
Joined: Feb 18, 2005
Posts: 2




hi all!

it seems that this is a form to reveal the path of some scripts (path on directory server)...maybe a "revelaed path" Bug in phpBB

But not yet it is possible to inject code..I mean, to execute SQL injection satisfactorily, isn't ?
View user's profile Send private message
PostPosted: Fri Feb 18, 2005 10:59 pm Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




Grullanetx wrote:
hi all!

it seems that this is a form to reveal the path of some scripts (path on directory server)...maybe a "revelaed path" Bug in phpBB

But not yet it is possible to inject code..I mean, to execute SQL injection satisfactorily, isn't ?



yes men is possible inject code and other methods more but not is public Cool
View user's profile Send private message Visit poster's website
These Exploits
PostPosted: Mon Feb 21, 2005 8:53 am Reply with quote
Zeelock
Active user
Active user
 
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




This kind of stuff is good because it gives information about table prefixes.

In the errors you can acknowlegdge the full name of the table.

There is another issue here:

http://www.site.com/phpBB2/search.php?mode=searchuser

And searching: \\\\\\\\\\\\\\\'

You get:


Could not obtain search results

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\\\\\\\\\\\\\\\\\\\\\\\\' AND user_id <> -1 ORDER BY usern

SELECT username FROM phpbb_users WHERE username LIKE '\\\\\\\\\\\\\\\\\\\\\\\\\' AND user_id <> -1 ORDER BY username

Line : 446

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Mon Feb 21, 2005 1:34 pm Reply with quote
Tomanas
Active user
Active user
 
Joined: Jan 30, 2005
Posts: 29




yes it's true that you get the table prefix with this. BUT you can't do anything with it...sad...;-] where can we get private exploits? Very Happy
View user's profile Send private message
Unink ()
PostPosted: Wed Feb 23, 2005 8:51 am Reply with quote
Zeelock
Active user
Active user
 
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Just for deleting files,

Quote from Idefense:

Quote:
Remote exploitation of an input validation vulnerability in the phpBB
Group's phpBB2 bulletin board system allows attackers to unlink (delete)
arbitrary system files under the privileges of the web server.

phpBB is an open-source web-based bulletin board system written in PHP.
The vulnerability specifically exists due to a combination of several
flaws that allows a remote attacker to control the arguments in a call
to unlink().The first flaw occurs in the avatar gallery, where a user is
permitted to specify part of the directory name for the desired avatar.
Directory traversal modifies (ex: "/../") are not properly filtered out,
allowing a user to break out of the default avatar directory. This issue
is realized in lines 68-71 of usercp_avatar.php:

if (
file_exists(@phpbb_realpath($board_config['avatar_gallery_path']
. '/' . $avatar_filename)) && ($mode == 'editprofile') )
{
$return = ", user_avatar = '" . str_replace("/'", "''",
$avatar_filename) . "', user_avatar_type = " .
USER_AVATAR_GALLERY;
}

Avatar's are then composed with the following code excerpt found in line
90 of usercp_viewprofile.php:

$avatar_img = ( $board_config['allow_avatar_local'] ) ? '<img src="'

. $board_config['avatar_gallery_path'] . '/' .
$profiledata['user_avatar'] . '" alt="" border="0" />' : '';

The abused calls to unlink() are made when an avatar is deleted. There
is a guard around these functions requiring that the target avatar to
unlink exist in the avatar_path. This routine is also vulnerable to a
directory traversal attack. By issuing a large number of "/../"
directory traversal modifiers, an attacker is able to delete arbitrary
system files. The vulnerable segment of code shown here is from lines
473-478 of usercp_register.php:

if ( @file_exists(@phpbb_realpath('./' .
$board_config['avatar_path']
. '/' . $userdata['user_avatar'])) )
{
@unlink(@phpbb_realpath('./' . $board_config['avatar_path'] .
'/'
. $userdata['user_avatar']));
}

An attacker can exploit this vulnerability by modifying the
"avatarselect" return value from the gallery to point to the desired
file to delete. The choice must be submitted twice for the attack to be
successful.

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
Vulns in Phpbb 2.0.11
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Game Hints
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.086 Seconds