lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041113030542.11396.qmail@www.securityfocus.com> Date: 13 Nov 2004 03:05:42 -0000 From: jessica soules <admin@...dark.com> To: bugtraq@...urityfocus.com Subject: phpBB Code EXEC (v2.0.10) _ _ ______ _ | | | | | _ \ | | | |_| | _____ __ | | | |__ _ _ __| | __ | _ |/ _ \ \ /\ / / | | | / _` | '__| |/ / | | | | (_) \ V V / | |/ / (_| | | | < \_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\ http://www.howdark.com ---------------------------------------------------------------------------------------------------------------------------------- // Information ---------------------------------------------------------------------------------------------------------------------------------- Author: How Dark Date: October 1, 2004 URL: http://www.howdark.com Affected Software: phpBB 2 Software Version: 2.0.* - 2.0.10 Software URL: http://www.phpbb.com Attack: SQL Injection, allowing people to minipulate the query into pulling data they should not previously be able too obtain. (Such as passwords) Arbituary EXEC allows you, if you can get on to a new line, to execute your own PHP, which can be fatal. Description: Because of the way urldecode and magic quotes works, it turns %2527 into %27, which is a single quote, and it leaves it unslashed. This gives you a SQL Injection, leading to arbituary PHP exec hole. But because you can't get outside preg_replace because of magic quotes, this is very very useless. ---------------------------------------------------------------------------------------------------------------------------------- xxx ---------------------------------------------------------------------------------------------------------------------------------- // Description ---------------------------------------------------------------------------------------------------------------------------------- Highlighting %2527 on any topic. ---------------------------------------------------------------------------------------------------------------------------------- xxx ---------------------------------------------------------------------------------------------------------------------------------- // URL ---------------------------------------------------------------------------------------------------------------------------------- viewtopic.php?t=1&highlight=%2527 ---------------------------------------------------------------------------------------------------------------------------------- xxx ---------------------------------------------------------------------------------------------------------------------------------- // Error ---------------------------------------------------------------------------------------------------------------------------------- Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp code on line 1 Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>POST TEXT HERE<') in viewtopic.php on line 1109 --------------------------------------------------------------------------------------------------------- xxx ;eof
Powered by blists - more mailing lists