phpBB Code EXEC (v2.0.10)
_ _ ______ _
| | | | | _ \ | |
| |_| | _____ __ | | | |__ _ _ __| | __
| _ |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V V / | |/ / (_| | | | <
\_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\
http://www.howdark.com
----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------
Author: How Dark
Date: October 1, 2004
URL: http://www.howdark.com
Affected Software: phpBB 2
Software Version: 2.0.* - 2.0.10
Software URL: http://www.phpbb.com
Attack: SQL Injection, allowing people to minipulate the query
into pulling data
they should not previously be able too obtain. (Such as
passwords)
Arbituary EXEC allows you, if you can get on to a new
line, to execute
your own PHP, which can be fatal.
Description: Because of the way urldecode and magic quotes works,
it turns %2527 into %27, which is a single quote, and it
leaves it unslashed. This gives you a SQL Injection,
leading
to arbituary PHP exec hole. But because you can't get
outside
preg_replace because of magic quotes, this is very very
useless.
----------------------------------------------------------------------------------------------------------------------------------
xxx
----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------
Highlighting %2527 on any topic.
----------------------------------------------------------------------------------------------------------------------------------
xxx
----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------
viewtopic.php?t=1&highlight=%2527
----------------------------------------------------------------------------------------------------------------------------------
xxx
----------------------------------------------------------------------------------------------------------------------------------
// Error
----------------------------------------------------------------------------------------------------------------------------------
Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp
code on line 1
Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>POST
TEXT HERE<') in viewtopic.php on line 1109
---------------------------------------------------------------------------------------------------------
xxx
;eof