Recently I found what I believed to be serious issues in phpBB. They were dismissed as low level though and not addressed. The thing I find ironic is how I found a couple of low level XSS issues and phpBB releases 2.0.6 > 2.0.7, yet when I find command execution and SQL Injection vulns it's dismissed as low level? Anyway, this is being written to give some examples of how these issues I found can basically be used to completely disrupt the operations of a vulnerable forum.

I believe in helping, not hurting, so I am gonna only show examples of how to delete posts in this paper, and not execute admin actions. However I may end up having to do that later just to show that they are a serious issue :-\ Okay, lets get to deleting some posts on OUR FORUM :)

First of all find the post you want to delete. Can be a users post, and admin/mods post, a sticky, an announcement, a locked topic or anything else. It's weird that the phpBB team said they protected all of the important files such as modcp which will let you lock and unlock topics, but not posting.php which lets you delete any topic or the admin panel which .. well, lets you perform admin actions. Okay back to business. Lets find the post to delete.

Now first off you must get the post number. it is defined in the variable "p" You can find this info out by hovering your mouse over, or copying the link to quote the topic. You know, the quote feature? An example url will look like this.;=203

Now that we have that bit of information we can go on to crafting our malicious post to delete that topic and at the same time deleting our malicious topic as to make an attempt to cover evidence of our mischief :P

Lets go ahead and make a post. Any post, anywhere. Now that you have made that post copy the location of the link to quote your post so that we can get the post number (the p=123 etc etc part) If you are on a forum that doesn't allow for you to edit your own posts then go ahead and make another post somewhere else (but do it quickly) and subtract or add one from the post number. The post number is incremental, get what I mean? Now that we have our information it's time to edit our harmless post to be malicious.

Now we need to take our post number and edit the following url accordingly.;=yourpostnumhere&confirm;=yes

Now you can place your post number where the "yourpostnumhere" is. Below is a screenshot of me crafting a malicious post on my box that I am using to post from the user account.

Screenshot Of Editing The Malicious Post

Okay, now we got it submitted, time to wait for an admin or mod to view it. Here is what our final situation will look like BEFORE the admin views it.

Screenshot Of The Forum Before An Admin Views It.

And here is the screenshot after the damage has been done. Not that all I did to make the malicious commands execute was view the post. Took maybe one second tops to execute. A user can put as many of these "images" in thier post as they want and delete many many posts just by having an admin view the post. Anyway, on to the screenshot of after the damage is done.

Screenshot Of The Forum AFTER An Admin Views It.

Maybe you are now wondering too why the guys from phpBB do not take this seriously just as I am wondering the same thing. Well, since they will not release a fix I will release a temporary solution. It is not a perfect solution but it makes the methods described here not work by using the POST method to accept confirmation of the deleted message. Maybe eventually they will implement proper session auth in phpBB such as the likes of PostNuke, Invision Power Board, or countless other web apps, but until then this should at least help.

Best Regards,

GulfTech Security Research

phpBB 2.0.7a Admin SQL Vulnerability Fix
phpBB 2.0.7a Post Deletion "Fix"

You can also delete styles, smilies, word censors, ranks and probably more in the ACP via the malicious image method


And also you can use the SQL Injections in the admin panel too via an image tag.

Just hex encode the SQL to be executed, place it in am image tag and it's done. You can also have post method stuff executed but that will require getting an admin to visit a page you set up to submit the request when he visits it. It works but takes a little more social engineering

Here is an example of what an attacker could do to really cause harm.