Re: phpBB 1.4.0 bug leads to easy admin privileges

[Paul Burney <burney () gseis ucla edu>]

on 8/3/01 12:51 PM, kill-9 () modernhackers com (kill-9 () modernhackers com)
wrote:

> found by: kill-9 () modernhacker com
> http://www.modernhacker.com

I don't know whether or not kill-9 notified anyone about his exploit before
posting.  He also didn't mention a fix for the problem.  One fix can be
found at:

<http://www.game-mods.com/prefs.php.txt>

I didn't write the code but saw it on the phpBB support forum.

Please note there is a slight typo in the file.  The correct lines to add
around line 51 in prefs.php are:

$fviewemail = str_replace('=','',$viewemail);
$fthemes = str_replace('=','',$themes);
$fsig = str_replace('=','',$tsig);
$fsmile = str_replace('=','',$smile);
$fdishtml = str_replace('=','',$dishtml);
$fdisbbcode = str_replace('=','',$disbbcode);
$flang = str_replace('=','',$lang);
$sql = "UPDATE users SET user_viewemail='$fviewemail',
user_theme='$fthemes', user_attachsig = '$fsig', user_desmile = '$fsmile',
user_html = '$fdishtml', user_bbcode = '$fdisbbcode', user_lang = '$flang'
WHERE (user_id = '$userdata[user_id]')";

There may be other bugs in the code in other files that can be exploited in
a similar fashion, but this resolves one immediate threat.

Another user named mmj on the boards mentioned:

> Removing the = signs in all the variables is one solution. Using addslashes()
> on all the variables in an alternative solutions.

Hope that helps.

Sincerely,

Paul Burney

+-------------------------+---------------------------------+
| Paul Burney             | P: 310.825.8365                 |
| Webmaster && Programmer | E: <webmaster () gseis ucla edu>   |
| UCLA -> GSE&IS -> ETU   | W: <http://www.gseis.ucla.edu/> |
+-------------------------+---------------------------------+