lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <19453.8802993067$1111778707@news.gmane.org>
Date: Fri, 25 Mar 2005 21:09:46 +0200
From: "tOnk3r" <m@...wire.net>
To: bugtraq@...urityfocus.com
Subject: phpbb 2.0.13 Exploit (bug)


------------------------------------------------------------------------
# phpBB 2.0.13 failure to reset user level after failed exploit
# discovered By : tOnk3r 
# e-mail : m[at]spywire[dot]net
# date : 22-march-05
# shouts: pureone, spywire.net crew , and everybody i know!
# Versions affected : ALL versions upto and including 2.0.13
# status : vendor notified (phpbb)
------------------------------------------------------------------------


phpBB is a high powered, fully scalable, and highly customisable open-source
bulletin board package. phpBB has a user-friendly interface, simple and 
straightforward administration panel, and helpful FAQ. Based on the powerful 
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC 

database servers, phpBB is the ideal free community solution for all web
sites.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


This exploit is an extention of the phpbb 2.0.12 boolean exploit that
can be found here http://www.spywire.net/forum/viewtopic.php?t=781 .

This exploit works because the login allows true boolean strings to 
be entered in place of the password hash and session id.
It allows an attacker to login as any user without having to enter
any authentication by editing a cookie and sending it back to the site.

The bug i discovered is a bug in the user privlage reset.
After trying to exploit a patched forum the user remains as admin, 
even though the forum is patched. The forum fails to reset the 
attackers status to guest after a failed exploit.

The attacker is able to view invisible members and the "admin control
pannel" link

but is unable to navigate the forum as admin.

With some more investigation im certain a critical exploit can be found.
but so far i am unable to keep admin status after clicking another link.

'''''''''''''''''''''''''''
      ][=-tOnk3r-=][
'''''''''''''''''''''''''''

if you have any more info on this bug please notify me
either at m[at]spywire[dot]net
or at www.spywire.net/forum



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ