-------------------------------------------------------- [N]eo [S]ecurity [T]eam [NST]? - Advisory #06 - 25/02/05 -------------------------------------------------------- Program: phpBB 2.0.12 Homepage: http://www.phpbb.com Vulnerable Versions: phpBB 2.0.12 & Lower versions Risk: Low Risk!! Impact: Full path disclosure -==phpBB 2.0.12 Full path disclosure==- --------------------------------------------------------- - Description --------------------------------------------------------- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. - Tested --------------------------------------------------------- localhost & many forums - Explotation --------------------------------------------------------- phpBB/viewtopic.php?p=6&highlight=\[HaCkZaTaN] It'll come out something like this. Warning: Compilation failed: missing terminating ] for character class at offset 20 in /home/nst/forum/viewtopic.php(1110) : regexp code on line 1 ere is the problem: -----[ Start Vuln Code ] ------------------------------------ 1106: if ($highlight_match) 1107: { 1108: // This was shamelessly 'borrowed' from volker at multiartstudio dot de 1109: // via php.net's annotated manual 1110: $message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1)); 1111: } -----[ Ends Vulns Code ] ------------------------------------ Don't borrow stuff lol. - Exploit --------------------------------------------------------- Not Yet xD - Solutions -------------------------------------------------------- Not Yet xD OK other thing that i noticed was in php.ini magic_quotes_gpc = On magic_quotes_sybase = Off you have to turn both of them ON - References -------------------------------------------------------- http://neossecurity.net/Advisories/Advisory-06.txt Reproducible: Always Steps to Reproduce:
web-apps, pls bump ____ Secunia Advisory: SA14362 CVE reference: CAN-2005-0259 CAN-2005-0258 Description: AnthraX101 has reported two vulnerabilities in phpBB, which can be exploited by malicious users to disclose and delete sensitive information. 1) An input validation error in the upload handling of avatars can be exploited to disclose arbitrary files by simultaneously requesting to upload an avatar from both a local and a remote source, and specifying a local path in the "Upload Avatar from a URL:" field. Successful exploitation requires that "Enable remote avatars" and "Enable avatar uploading" are enabled (not default settings). 2) Input validation errors in "usercp_avatar.php" and "usercp_register.php" can in combination be exploited to delete arbitrary files via directory traversal attacks. Successful exploitation requires that "Enable gallery avatars" is enabled (not default setting). Some issues disclosing the full path to certain scripts have also been reported. The vulnerabilities have been reported in version 2.0.11. Prior versions may also be affected. Solution: Update to version 2.0.12. http://www.phpbb.com/downloads.php Provided and/or discovered by: AnthraX101 Changelog: 2005-02-23: Added information provided by iDEFENSE. Original Advisory: phpBB: http://www.phpbb.com/phpBB/viewtopic.php?t=265423 iDEFENSE: http://www.idefense.com/applicat...?id=204&type=vulnerabilities http://www.idefense.com/applicat...?id=205&type=vulnerabilities _____________ http://www.phpbb.com/phpBB/viewtopic.php?t=265423 # Added confirm table to admin_db_utilities.php # Prevented full path display on critical messages # Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101 # Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence # Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101 # Fixed arbitrary file unlink vulnerability in avatar handling functions -AnthraX101 # Removed version number from powered by line # Merged database update files to update_to_latest.php file # Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery) # Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer
severity: critical 2.0.13 is out which fixes this one and another critical security related bug (session handling allowing everyone gaining administrator rights): http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563 JG
oops... didn't see the dupe *** This bug has been marked as a duplicate of 82955 ***
