phpBB Code EXEC (v2.0.10)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phpBB Code EXEC (v2.0.10)
From: jessica soules <admin@xxxxxxxxxxx>
Date: 13 Nov 2004 03:05:42 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


 _   _                ______           _    
| | | |               |  _  \         | |   
| |_| | _____      __ | | | |__ _ _ __| | __
|  _  |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V  V /  | |/ / (_| | |  |   < 
\_| |_/\___/ \_/\_/   |___/ \__,_|_|  |_|\_\
http://www.howdark.com

----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------

Author: How Dark
Date:   October 1, 2004
URL:    http://www.howdark.com

Affected Software:              phpBB 2
Software Version:               2.0.* - 2.0.10
Software URL:           http://www.phpbb.com

Attack:                 SQL Injection, allowing people to minipulate the query 
into pulling data
                        they should not previously be able too obtain. (Such as 
passwords)
                        Arbituary EXEC allows you, if you can get on to a new 
line, to execute
                        your own PHP, which can be fatal.

Description:            Because of the way urldecode and magic quotes works,
                        it turns %2527 into %27, which is a single quote, and it
                        leaves it unslashed. This gives you a SQL Injection, 
leading
                        to arbituary PHP exec hole. But because you can't get 
outside
                        preg_replace because of magic quotes, this is very very 
useless.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------

Highlighting %2527 on any topic.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------

viewtopic.php?t=1&highlight=%2527

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Error
----------------------------------------------------------------------------------------------------------------------------------

Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp 
code on line 1

Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>POST 
TEXT HERE<') in viewtopic.php on line 1109

---------------------------------------------------------------------------------------------------------

xxx

;eof

Prev by Date: SQL Injection in phpBT (bug.php)
Next by Date: [USN-24-1] openssl script vulnerability
Previous by thread: SQL Injection in phpBT (bug.php)
Next by thread: Re: phpBB Code EXEC (v2.0.10)
Index(es):
- Date
- Thread