Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

phpBB/gender mod allows get admin privilege, exploit/patch

From: langtuhaohoa caothuvolam <trungonly () yahoo com>
Date: 27 Jul 2002 14:16:06 -0000


######################################################################### 
## Annoucement:  
## Sua loi thay doi quyen user trong phpbb2.x
## In phpBB with the official Gender Mod, this vuln allows a normal user
## set her/himself to become a forum administrator.
##
## Nguoi viet/Author: PTTrung
## http://hackervn.net (caothuvolam) http://viethacker.net (langtuhaohoa)
## trungonly () yahoo com
##
## Description:
## Gender Mod is a commonly used modification in official phpBB releases.
## Unchecked posted values can add some SQL fields into the UPDATE sql 
command. 
## This affects in the newest version 1.1.3.
## If you assign the value: 'user_level = 1', you will have the 
ADMINISTRATOR 
## PRIVILEGE in forum.
##
## Exploit:
## 1. Save the User Profile page into your disk to modify it offline.
## 2. Add the correct full post action address 
(http://forum.victim.com/...):
##   <FORM action=http://forum.victim.com/profile.php?
sid=<current_session_id> method=post 
##      encType=multipart/form-data>
## 3. Modify the HTML Form so that the input field "gender" has value like:
##   <input type=text name=gender value="0, user_level = 1 ">
## 4. Load this page in the same browser window where the cookie is still 
available. 
## Take care all your works to hide the tracking of your hacking and 
finally hit Submit 
## to change user profile. You've done.
##
## Patch:
## File To Patch: 
## forumroot/includes/usercp_register.php
##
## Note.
## The phpBB team has also been emailed about this problem.
## 
######################################################################### 

# Patch
#
#-----[ OPEN ]------------------------------------------ 
# 
    forumroot/includes/usercp_register.php

# 
#-----[ FIND ]------------------------------------------ 
# 

        $gender = ( isset($HTTP_POST_VARS['gender']) ) ? $HTTP_POST_VARS
['gender'] : 0;

# 
#-----[ REPLACE AS ]------------------------------------ 
# 

        $gender = ( isset($HTTP_POST_VARS['gender']) ) ? intval
($HTTP_POST_VARS['gender']) : 0;

# 
#-----[ SAVE/CLOSE/UPLOAD THIS FILE ]------------------- 
# 
# EoP
Previous By Date Next
Previous By Thread Next

Current thread: