TUCoPS :: Web BBS :: Frequently Exploited :: hack2568.htm

Phpbb 2.0.7a And Earlier Secuity Issues
Phpbb 2.0.7a And Earlier Secuity Issues



Vendor  : phpBB Group

URL     : http://www.phpbb.com 

Version : phpBB 2.0.7a && Earlier

Risk    : Multiple Vulnerabilities







Description:

phpBB is a high powered, fully scalable, and highly customisable 

open-source bulletin board package. phpBB has a user-friendly 

interface, simple and straight forward administration panel, 

and helpful FAQ. Based on the powerful PHP server language and 

your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database 

servers, phpBB is the ideal free community solution for all web 

sites.







Problem:

Just a few days ago I was visiting Security Focus and I saw the 

following issue.



http://www.securityfocus.com/bid/9896 



I was at first thinking "Well, if you can't trust your admins 

that is as big of a security risk as any SQL Injection" After 

talking to a few people about this Irealized that a number of 

phpBB installations are run on shared hosting setups, and 

because of that this issue could be a legitimate risk. For 

example



admin_words.php?mode=edit&id=99 UNION SELECT 0,username,

user_password FROM othersite_phpbb_users WHERE user_id=2



I decided to look into this a little more and noticed similar 

issues in two other files as well. The files I found to also 

be vulnerable were "admin_smilies.php" and "admin_styles.php" 

which can also be used to query arbitrary information.



admin_smilies.php?mode=edit&id=99 UNION SELECT 0,username,0,

user_password FROM othersite_phpbb_users WHERE user_id=2



I also played around with ideas on how a malicious user could 

use this for any kind of mischief. Remember that these SQL 

issues can also be used to probably drop tables and the like 

on non phpBB installations depending on DB privledges. Below 

are the findings of my weekend off from work. :P







SQL Injection Vulnerability:

Altering queries is possible via two different files in phpBB 

2.0.7a and earlier. The affected files are "admin_smilies.php" 

and "admin_styles.php" Below is what you will see if you take 

a look at the "admin_smilies.php" file.





-----[ Start Vuln Code ] ------------------------------------



$sql = "SELECT *

	FROM " . SMILIES_TABLE . "

	WHERE smilies_id = " . $smiley_id;

$result = $db->sql_query($sql);



-----[ Ends Vulns Code ] ------------------------------------





Both of these files could also be used to conduct cross site 

scripting attacks if a logged in admin views a malicious link 

sent by an attacker. Below are examples.



admin_smilies.php?mode=edit&id=[SQL]

admin_smilies.php?mode=delete&id=[SQL]

admin_smilies.php?mode=edit&id=[XSS]

admin_smilies.php?mode=delete&id=[XSS]

admin_styles.php?mode=edit&style_id=[SQL]

admin_styles.php?mode=delete&style_id=[SQL]

admin_styles.php?mode=edit&style_id=[XSS]

admin_styles.php?mode=delete&style_id=[XSS]



Maybe an attacker could send a logged in admin a link that 

causes certain contents of the database to be dumped into a 

text file in the httpd directory for retrieval, or maybe an 

attacker can send a logged in admin a link with some script 

embedded and attempt to steal information from a cookie? All 

of those may be likely, but what I am going to talk about 

next makes it a whole lot easier for an attacker.







Command Execution Vulnerability:

While playing around I noticed it was very easy to have 

commands that were called via the GET method executed. This 

could also be very useful for an attacker if he or she were 

to combine the above issues with the one I am talking about 

right now. To make things a little clearer go into your phpBB 

admin panel and lets create a harmless test to see how this 

works. We will use the word censor feature for this example 

since it is harmless enough, but you could just as easily use 

one of the vulnerabilities found by me and explained earlier 

in this paper. Go to the page in your phpBB admin panel titled 

"Word Censors" aka "admin_words.php" Now make a word censor, 

can be anything. After it is done get the link to delete the 

word censor you just made. For example see below what the link 

looks like.



admin_words.php?mode=delete&id=1&sid=[SID]



The sid variable doesn't have to be there, and if it does then 

that particular file is probably not vuln. Now we go into our 

user level account and make a post with an image that has a link 

to the vuln command. Now when an admin views this bogus image the 

command is executed. For example take the following post contents.



[img]http://host/login.php?logout=true[/img] 



A post with this in it will log out whoever views it. Imagine how 

annoying it would be for a user to have something like that in 

their signature. It would log out everyone who viewed their post(s). 

This can be used with other files as well, not just the 

"admin_styles.php", "admin_smilies.php", and "admin_words.php" 

My weekend is almost over though :-\ So I do not have much more 

time to play around with this. But remember, this works on users 

too, not just admins and mods. The only limits I have found really 

is it only works on actions that get the values of it's variables 

from the GET method and not the $HTTP_POST_VARS[] method, and do 

not check for valid session id's this includes deleting posts, 

themes, smileys, word censors and more. This kind of activity could 

also be used in signatures, pm's and the like too. Some files such 

as modcp.php seem to handle sessions properly though, so they are 

not vulnerable. This is the code that checks for valid session ID's 

If it is not present it is possibly a vulnerable file.



// session id check

if ($sid == '' || $sid != $userdata['session_id'])

{

	message_die(GENERAL_ERROR, 'Invalid_session');

}



A quick grep of the phpBB2 directory will turn up lots of results. 

You can do that to see which files are potentially vulnerable to 

this issue. Some pretty nasty stuff can come from these issues 

though. For example, if magic_quotes_gpc is off an attacker can 

make an image to exploit one of the earlier mentioned SQL 

vulnerabilities and cause the admin hash to be dumped into a text 

file for later retrieval.



admin_smilies.php?mode=edit&id=99 UNION SELECT 0,username,0,

user_password FROM phpbb_users WHERE user_id=2 INTO OUTFILE 

'/www/full/path/out.txt' 



And also in the same post have another "image" that deletes 

the post as soon as it is viewed so there is no evidence left 

behind except the text file in the httpd directory.







Solution:

I have corresponded wih the developers about these issues, and 

you can read that correspondance at the following url.



http://www.gulftech.org/vuln/phpBBEmail.txt 



I think the session cheacks are definately a potential danger, 

but I have fixed the vulnerable admin files, and they can be 

downloaded at the link below. If you find any problems with the 

fixes please let me know.



http://www.gulftech.org/vuln/phpBBadminFix.rar 



I will post any updated correspondance in the previously mentioned 

file, so if you would like to keep up on any progress made check 

there. The original advisory for this report can be found at the

following url @ http://www.gulftech.org/03202004.php 







Credits:

Credits go to JeiAr of the GulfTech Security Research Team. 

http://www.gulftech.org 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH