lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20041113030542.11396.qmail@www.securityfocus.com>
Date: 13 Nov 2004 03:05:42 -0000
From: jessica soules <admin@...dark.com>
To: bugtraq@...urityfocus.com
Subject: phpBB Code EXEC (v2.0.10)




 _   _                ______           _    
| | | |               |  _  \         | |   
| |_| | _____      __ | | | |__ _ _ __| | __
|  _  |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V  V /  | |/ / (_| | |  |   < 
\_| |_/\___/ \_/\_/   |___/ \__,_|_|  |_|\_\
http://www.howdark.com

----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------

Author:	How Dark
Date:	October 1, 2004
URL:	http://www.howdark.com

Affected Software:		phpBB 2
Software Version:		2.0.* - 2.0.10
Software URL:		http://www.phpbb.com

Attack:			SQL Injection, allowing people to minipulate the query into pulling data
			they should not previously be able too obtain. (Such as passwords)
			Arbituary EXEC allows you, if you can get on to a new line, to execute
			your own PHP, which can be fatal.

Description:		Because of the way urldecode and magic quotes works,
			it turns %2527 into %27, which is a single quote, and it
			leaves it unslashed. This gives you a SQL Injection, leading
			to arbituary PHP exec hole. But because you can't get outside
			preg_replace because of magic quotes, this is very very useless.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------

Highlighting %2527 on any topic.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------

viewtopic.php?t=1&highlight=%2527

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Error
----------------------------------------------------------------------------------------------------------------------------------

Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp code on line 1

Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>POST TEXT HERE<') in viewtopic.php on line 1109

---------------------------------------------------------------------------------------------------------

xxx

;eof

Powered by blists - more mailing lists