COMMAND

	
		phpGB mysql injection, cross site scripting,  DoS,  and  arbitrary  code
		execution
	
	

SYSTEMS AFFECTED

	
		 DoS and exec --> 1.20 and maybe all versions before

		 XSS --> 1.10 and maybe all versions before

		 sql injection --> 1.20 and maybe all versions before

		

		

		
	
	

PROBLEM

	
		ppp-design [http://www.ppp-design.de] revealed multiple weakness :
		

		 1 DoS & exec

		 =

		

		The  problem  is  in  /admins/savesettings.php.  The  only   check   for
		authentification is made is a check for the  page  being  requested  via
		POST. That is why it is very easy to fake authentification and to  write
		anything to /include/config.php. Because this is a major file of
		 the software being included nearly on every page, a syntax error

		leads to a DoS of the whole guestbook. One more security aspect  is  the
		ability to insert arbitrary commands in the config file.  When  avoiding
		syntax errors, a possible blackhat is able to execute  any  php  command
		on the server.
		

		 Proof-of-concept

		 ----------------

		

		After running the following proof of concept,  you  are  presented  with
		phpinfo() on every page of the guestbook. Of course you can  insert  any
		php  code  instead  of  phpinfo();  into  /include/config.php.  (\n   is
		newline)
		

		telnet example.com 80\n

		POST /phpGB/admin/savesettings.php HTTP/1.0\n

		Content-Type: application/x-www-form-urlencoded\n

		Content-Length: 123\n

		dbpassword=%22%3Bphpinfo%28%29%3B%24a%3D%22&toolbar=1

		&messenger=1&smileys=1&title=1&db_session_handler=0

		&all_in_one=0&test=\n

		\n

		

		

		 2 XSS

		 =

		

		A possible blackhat is able to  insert  eg.  javascript  code  into  the
		guestbook entry. When an admin tries to delete  this  entry  the  script
		will be executed. So the attacke is able to eg. get the session  id  and
		enter the admin area without being authenticated.
		

		 Proof-of-concept

		 ----------------

		

		Enter the following guestbookentry:
		

		"delete me <script>alert(document.cookie)</script>"

		

		When an admin tries to delete this entry, a popup  showing  his  session
		id will come up. Of course it is quite easy to submit  this  session  id
		to blackhat's server instead of showing this popup.
		

		

		 3 sql injection

		 =

		

		If the affected webserver has not enabled php's magic_quotes_gpc in  the
		php.ini, it is possible to login as administrator  without  needing  any
		password. The  affected  page  for  the  login  is  /admin/login.php.  A
		possible blackhat is  able  to  add  new  admins,  delete  or  edit  any
		guestbook entries and  change  any  configuration  including  sql-server
		settings.
		

		 Proof-of-concept

		 ----------------

		

		Use an existend administrator name (default is admin here) and  use  the
		following password:
		

		"' OR 'a'='a"

		

		You will be authenticated if magic_quotes_gpc is not enabled.
	
	

SOLUTION

	
		 Patch :

		 =====

		

		Get release 1.40 from :
		

		http://www.walzl.net

		

		

		 Workarounds :

		 ===========

		

		DoS & exec : Use .htaccess to restrict access to admin pages
		

		XSS : Filter  all  inputs  for  unwanted  code  segments  like  html  or
		javascript code