TUCoPS :: Web BBS :: Frequently Exploited :: web5562.htm

phpBB/gender mod allows get admin privilege
29th Jul 2002 [SBWID-5562]
COMMAND

	phpBB/gender mod allows get admin privilege

SYSTEMS AFFECTED

	phpbb2.x

PROBLEM

	langtuhaohoa caothuvolam [http://hackervn.net],  [http://viethacker.net]
	says :
	

	

	######################################################################### 

	## Annoucement:  

	## Sua loi thay doi quyen user trong phpbb2.x

	## In phpBB with the official Gender Mod, this vuln allows a normal user

	## set her/himself to become a forum administrator.

	##

	## Nguoi viet/Author: PTTrung

	## http://hackervn.net (caothuvolam) http://viethacker.net (langtuhaohoa)

	## trungonly@yahoo.com

	##

	## Description:

	## Gender Mod is a commonly used modification in official phpBB releases.

	## Unchecked posted values can add some SQL fields into the UPDATE sql 

	command. 

	## This affects in the newest version 1.1.3.

	## If you assign the value: 'user_level = 1', you will have the 

	ADMINISTRATOR 

	## PRIVILEGE in forum.

	##

	## Exploit:

	## 1. Save the User Profile page into your disk to modify it offline.

	## 2. Add the correct full post action address 

	(http://forum.victim.com/...):

	##   <FORM action=http://forum.victim.com/profile.php?

	sid=<current_session_id> method=post 

	##      encType=multipart/form-data>

	## 3. Modify the HTML Form so that the input field "gender" has value like:

	##   <input type=text name=gender value="0, user_level = 1 ">

	## 4. Load this page in the same browser window where the cookie is still 

	available. 

	## Take care all your works to hide the tracking of your hacking and 

	finally hit Submit 

	## to change user profile. You've done.

	##

	## Patch:

	## File To Patch: 

	## forumroot/includes/usercp_register.php

	##

	## Note.

	## The phpBB team has also been emailed about this problem.

	## 

	######################################################################### 

	

	# Patch

	#

	#-----[ OPEN ]------------------------------------------ 

	# 

	    forumroot/includes/usercp_register.php

	

	# 

	#-----[ FIND ]------------------------------------------ 

	# 

	

		$gender = ( isset($HTTP_POST_VARS['gender']) ) ? $HTTP_POST_VARS

	['gender'] : 0;

	

	# 

	#-----[ REPLACE AS ]------------------------------------ 

	# 

	

		$gender = ( isset($HTTP_POST_VARS['gender']) ) ? intval

	($HTTP_POST_VARS['gender']) : 0;

	

	# 

	#-----[ SAVE/CLOSE/UPLOAD THIS FILE ]------------------- 

	# 

	# EoP 

	

SOLUTION

	File To Patch:
	

	forumroot/includes/usercp_register.php

	

	

	Patch available ?

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH