I respect all of your opinions and would like to hear your opinion if you have one.
Best Regards,
James
shaun2k2
Mar 21 2004, 07:51 PM
Great work JeiAr. I am a firm believer that *all* security bugs should be fixed - whether they are "serious", likely to be exploited, or otherwise. In my opinion, this handling of the situation (the vulnerability report) wasn't as good as it usually is by phpBB - just because the likelyhood of exploitation isn't so high, it doesn't mean that leaving them is okay - for one thing, it just helps the gathering of bad code in the board, which could lead to more security issues.
Good work once again James
-Shaun.
extreme
Mar 21 2004, 08:23 PM
I am impressed. Good work mate.. I have to take a look at these SQL exploits.. Looks like it is a new era of hacking..
tweakz20
Mar 21 2004, 08:32 PM
pretty neat... looks fun to play with.. weee.... but it's amazing.. all of these php board vulnerabilities and nothing ever happens to THIS board lol
whisker
Mar 21 2004, 09:09 PM
JeiAR..
Wow..that's a good work man....they just released 2.0.7 to fixed bugs ..under 2.0.6 and you've already find the bugs..hehehe...
Cheers for the info
JeiAr
Mar 22 2004, 02:49 AM
Thanks guys, Whenever I am able to help people out it really makes this "hobby" I have feel worth while.
See, one thing that dissapointed me was they say in regards to the session ID's that they protected the important files. Well if you grep with the -L switch you will see none of the admin files check for valid session AFAIK and only check to see if it is an admin. So you can trick an admin into runnng anything that gets it's values from the GET method. Also, if magic_quotes_gpc is off you can have an admin dump user info into a textfile that you can later retrieve just by having them view an "image" I think I am going to take the GulfTech forums offline until these issues are fixed as we use phpBB. Here is an example that will dump the admin hash into a text file for later retrieval. An attacker could stick both the examples below in an image and also the command for deleting the post in an image and the post will be gone forever before the admin has any time to check the contents of the post.
admin_words.php?mode=edit&id=99 UNION SELECT 0,username,user_password FROM phpbb_users WHERE user_id=2 INTO OUTFILE '/www/full/path/out.txt'
admin_smilies.php?mode=edit&id=99 UNION SELECT 0,username,0,user_password FROM phpbb_users WHERE user_id=2 INTO OUTFILE '/www/full/path/out.txt'
migo
Mar 22 2004, 12:20 PM
what can i say wonderfull absolutely wonderul
keep the good work m8
aapje
Mar 22 2004, 03:09 PM
thanks again,
I tried it (test forum), i put
CODE
www.host.com/phpBB2/admin/admin_words.php?mode=edit&id=99 UNION SELECT 0,username,user_password FROM phpbb_users WHERE user_id=2 INTO OUTFILE '/public_html/out.txt'
in an link, but nothing happends, i need to make a sencured word first? public_html is the main dir, in what the phpBB2 dir is.
Thanks
XpProf
Mar 22 2004, 04:00 PM
I tried too but no result...
JeiAr
Mar 22 2004, 05:20 PM
QUOTE (aapje @ Mar 22 2004, 03:09 PM)
thanks again,
I tried it (test forum), i put
CODE
www.host.com/phpBB2/admin/admin_words.php?mode=edit&id=99 UNION SELECT 0,username,user_password FROM phpbb_users WHERE user_id=2 INTO OUTFILE '/public_html/out.txt'
in an link, but nothing happends, i need to make a sencured word first? public_html is the main dir, in what the phpBB2 dir is.
Thanks
No, if you put the id of an actual word or smile (depending on which POC you use) The appropriate information will be returned instead of the username and hash.
And remember what I said, THAT example ONLY works when magic_quotes_gpc is OFF. Fortunately most (maybe a little more than half I have seen) have magic_quotes_gpc ON.
Thats not the only thing you can do though, maybe you can use it to update your user_level to 1 which is admin, then you can download the entire phpBB database
JeiAr
Mar 23 2004, 04:57 AM
Have you guys seen this?
www.phpbb.com/phpBB/viewtopic.php?f=14&t=183098
QUOTE
psoTFX Development Team Leader
Joined: 03 Jul 2001 Posts: 8803 Location: Location? I don't need no stinking location ... Posted: Mon Mar 22, 2004 1:06 pm Post subject: Recent "multiple vulnerabilities" post to bugtraq
We've already had at least one email concerning this post to bugtraq, "Phpbb 2.0.7a And Earlier Secuity Issues" by "JeiAr <security@gulftech.org>".
As I made clear in correspondence with this user the issues raised are of very very low priority in mine and others opinions. I'll explain why ...
The issues noted concerning the admin scripts are effectively of no concern. To be able to take advantage of said vulnerabilities you must be an admin. If you're an admin why would you want to bother jumping through hoops to discover another users password? You could simply go in, set it to whatever you like and tada, off you go. I fail to see why a "shared hosting" environment increases the risks here. A board is tied to a database. I know of no host which gives all users the same database! Thus the admin of one board cannot use these issues to obtain information concerning another board.
The issue surrounding session_id checking in posting has been covered in public on this forum many times in the past. At one point we implemented checking in posting. We ended up with so many complaints from users who couldn't post because their sessions had expired (even after relevant workarounds had been tried) we removed it. Since then we've had absolutely no reports of problems. We retained session checking in areas like modcp to prevent "spoofing" of moderator functions from 3rd party sites or local links. This entire sequence of events was quite public and openly discussed here.
Thanks. _________________ Paul S. Owen - Development Team Leader phpBB 2.2 | Feature Requests | Snapshots | ACP <---- Support the London 2012 Olympic Bid ----> "To err is human, to screw up royally requires me!"
I thing phpBB do a pretty good job with security, but I do not for the life of me understand this.
User #1 can put the link to an admin command into an image tag
Admin #1 views the malicious post and unknowingly issues an admin command and deletes the post with the bogus image thus eliminating the evidence.
Sure, the commands you can have an admin execute are limited to the ones that collect thier data values via the GET method, but isn't that still a fairly serius issue? After reading that post, and thier not replying to this email
I am beginning to think either they or crazy or I am crazy. lol Nothing personal against them, I love phpBB, but I just do not see the logic. Invision Power Board, PostNuke, and many others REQUIRE session ID's or Auth keys with no problem and as a result are much more secure and do not allow users to trick admins into running commands.
Also, take for example the SQL injection vulnerability. A user cannot exploit this issue himself, but he can trick an admin into running a query just by viewing a malicious post. I just don't get why that is not seen as a big deal?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
