Bugtraq mailing list archives
Re: phpBB 1.4.0 bug leads to easy admin privileges
From: Paul Burney <burney () gseis ucla edu>
Date: Fri, 03 Aug 2001 15:01:36 -0700
on 8/3/01 12:51 PM, kill-9 () modernhackers com (kill-9 () modernhackers com) wrote:
found by: kill-9 () modernhacker com http://www.modernhacker.com
I don't know whether or not kill-9 notified anyone about his exploit before posting. He also didn't mention a fix for the problem. One fix can be found at: <http://www.game-mods.com/prefs.php.txt> I didn't write the code but saw it on the phpBB support forum. Please note there is a slight typo in the file. The correct lines to add around line 51 in prefs.php are: $fviewemail = str_replace('=','',$viewemail); $fthemes = str_replace('=','',$themes); $fsig = str_replace('=','',$tsig); $fsmile = str_replace('=','',$smile); $fdishtml = str_replace('=','',$dishtml); $fdisbbcode = str_replace('=','',$disbbcode); $flang = str_replace('=','',$lang); $sql = "UPDATE users SET user_viewemail='$fviewemail', user_theme='$fthemes', user_attachsig = '$fsig', user_desmile = '$fsmile', user_html = '$fdishtml', user_bbcode = '$fdisbbcode', user_lang = '$flang' WHERE (user_id = '$userdata[user_id]')"; There may be other bugs in the code in other files that can be exploited in a similar fashion, but this resolves one immediate threat. Another user named mmj on the boards mentioned:
Removing the = signs in all the variables is one solution. Using addslashes() on all the variables in an alternative solutions.
Hope that helps. Sincerely, Paul Burney +-------------------------+---------------------------------+ | Paul Burney | P: 310.825.8365 | | Webmaster && Programmer | E: <webmaster () gseis ucla edu> | | UCLA -> GSE&IS -> ETU | W: <http://www.gseis.ucla.edu/> | +-------------------------+---------------------------------+
Current thread:
- phpBB 1.4.0 bug leads to easy admin privileges kill-9 (Aug 03)
- Re: phpBB 1.4.0 bug leads to easy admin privileges Paul Burney (Aug 03)
- Re: phpBB 1.4.0 bug leads to easy admin privileges Joao Gouveia (Aug 06)
- <Possible follow-ups>
- Re: phpBB 1.4.0 bug leads to easy admin privileges Kaneda Akira (Aug 08)