GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe (SCOSA-2004.7)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : OpenSSL Multiple Vulnerabilities (SCOSA-2004.10)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges (SCOSA-2004.3)
SCO Security Advisory - UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges. (SCOSA-2004.2)
Microsoft Security Bulletin Re-release, August 2004
Latest Vulnerabilities
OpenFTPD Format String Vulnerability
Fusion News Unauthorized Account Addition Vulnerability
Jaws 0.4 Authentication Bypass Vulnerability
DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability
LostBook v1.1 Javascript Execution Vulnerability
Latest Security News
Anti-spam spamvertisers agree to quit
Black Hat day 2 sounds security alarm
VPNs (Virtual Private Nightmares)
HNS Newsletter issue 224 has been released
Long-awaited IE patch (finally) arrives















phpBB 2.0.7a And Earlier Security Issues
March 20, 2022


Vendor : phpBB Group
URL : http://www.phpbb.com
Version : phpBB 2.0.7a && Earlier
Risk : Multiple Vulnerabilities
BID : http://www.securityfocus.com/bid/9942


Description:
phpBB is a high powered, fully scalable, and highly customisable open-source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.


Problem:
Just a few days ago I was visiting Security Focus and I saw the following issue.

http://www.securityfocus.com/bid/9896

I was at first thinking "Well, if you can't trust your admins that is as big of a security risk as any SQL Injection" After talking to a few people about this I realized that a number of phpBB installations are run on shared hosting setups, and because of that this issue could be a legitimate risk. For example

admin_words.php?mode=edit&id;=99 UNION SELECT 0,username,user_password FROM othersite_phpbb_users WHERE user_id=2

I decided to look into this a little more and noticed similar issues in two other files as well. The files I found to also be vulnerable were "admin_smilies.php" and "admin_styles.php" which can also be used to query arbitrary information.

admin_smilies.php?mode=edit&id;=99 UNION SELECT 0,username,0,user_password FROM othersite_phpbb_users WHERE user_id=2

I also played around with ideas on how a malicious user could use this for any kind of mischief. Remember that these SQL issues can also be used to probably drop tables and the like on non phpBB installations depending on DB privledges. Below are the findings of my weekend off from work. :P



SQL Injection Vulnerability:
Altering queries is possible via two different files in phpBB 2.0.7a and earlier. The affected files are "admin_smilies.php" and "admin_styles.php" Below is what you will see if you take a look at the "admin_smilies.php" file.

-----[ Start Vuln Code ] ------------------------------------------------------
$sql = "SELECT *
	FROM " . SMILIES_TABLE . "
	WHERE smilies_id = " . $smiley_id;
$result = $db->sql_query($sql);
-----[ Ends Vulns Code ] ------------------------------------------------------

Both of these files could also be used to conduct cross site scripting attacks if a logged in admin views a malicious link sent by an attacker. Below are examples.

admin_smilies.php?mode=edit&id;=[SQL]
admin_smilies.php?mode=delete&id;=[SQL]
admin_smilies.php?mode=edit&id;=[XSS]
admin_smilies.php?mode=delete&id;=[XSS]
admin_styles.php?mode=edit&style;_id=[SQL]
admin_styles.php?mode=delete&style;_id=[SQL]
admin_styles.php?mode=edit&style;_id=[XSS]
admin_styles.php?mode=delete&style;_id=[XSS]

Maybe an attacker could send a logged in admin a link that causes certain contents of the database to be dumped into a text file in the httpd directory for retrieval, or maybe an attacker can send a logged in admin a link with some script embedded and attempt to steal information from a cookie? All of those may be likely, but what I am going to talk about next makes it a whole lot easier for an attacker.


Command Execution Vulnerability:
While playing around I noticed it was very easy to have commands that were called via the GET method executed. This could also be very useful for an attacker if he or she were to combine the above issues with the one I am talking about right now. To make things a little clearer go into your phpBB admin panel and lets create a harmless test to see how this works. We will use the word censor feature for this example since it is harmless enough, but you could just as easily use one of the vulnerabilities found by me and explained earlier in this paper. Go to the page in your phpBB admin panel titled "Word Censors" aka "admin_words.php" Now make a word censor, can be anything. After it is done get the link to delete the word censor you just made. For example see below what the link looks like.

admin_words.php?mode=delete&id;=1&sid;=b48906073d7a8da0ecad3e35b1f4021b

The sid variable doesn't have to be there, and if it does then that particular file is probably not vuln. Now we go into our user level account and make a post with an image that has a link to the vuln command. Now when an admin views this bogus image the command is executed. For example take the following post contents.

[img]http://host/login.php?logout=true[/img]

A post with this in it will log out whoever views it. Imagine how annoying it would be for a user to have something like that in their signature. It would log out everyone who viewed their post(s). This can be used with other files as well, not just the "admin_styles.php", "admin_smilies.php", and "admin_words.php" My weekend is almost over though :-\ So I do not have much more time to play around with this. But remember, this works on users too, not just admins and mods. The only limits I have found really is it only works on actions that get the values of it's variables from the GET method and not the $HTTP_POST_VARS[] method, and do not check for valid session id's this includes deleting posts, themes, smileys, word censors and more. This kind of activity could also be used in signatures, pm's and the like too. Some files such as modcp.php seem to handle sessions properly though, so they are not vulnerable. This is the code that checks for valid session ID's If it is not present it is possibly a vulnerable file.
		
// session id check
if ($sid == '' || $sid != $userdata['session_id'])
{
	message_die(GENERAL_ERROR, 'Invalid_session');
}
A quick grep of the phpBB2 directory will turn up lots of results. You can do that to see which files are potentially vulnerable to this issue.


Solution:
I have corresponded wih the developers about these issues, and you can read that correspondance at the following url.

http://www.gulftech.org/vuln/phpBBEmail.txt

I think the session checks are definately a potential danger, but I have fixed the vulnerable admin files, and they can be downloaded at the link below. If you find any problems with the fixes please let me know. Also, I have added fixes for the logout, and post deletion problems.

http://www.gulftech.org/vuln/phpBBadminFix.rar
http://www.gulftech.org/vuln/phpBBpostDeletion.rar
http://www.gulftech.org/vuln/phpBBlogoutFix.rar

I will post any updated correspondance in the previously mentioned file, so if you would like to keep up on any progress made check there.


Update:
Due to the lack of concern for these issues by the phpBB team and many users we have released the folling proof of concept examples.

http://www.gulftech.org/vuln/phpBBpoc/

It is also worth mentioning that the phpBB 2.0.8 upgrade does not stop the script phpBBpostMassacre from working.


Credits:
Credits go to JeiAr of the GulfTech Security Research Team.






© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers