<<< Date Index >>>     <<< Thread Index >>>

phpbb 2.0.13 Exploit (bug)



------------------------------------------------------------------------
# phpBB 2.0.13 failure to reset user level after failed exploit
# discovered By : tOnk3r 
# e-mail : m[at]spywire[dot]net
# date : 22-march-05
# shouts: pureone, spywire.net crew , and everybody i know!
# Versions affected : ALL versions upto and including 2.0.13
# status : vendor notified (phpbb)
------------------------------------------------------------------------


phpBB is a high powered, fully scalable, and highly customisable open-source
bulletin board package. phpBB has a user-friendly interface, simple and 
straightforward administration panel, and helpful FAQ. Based on the powerful 
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC 

database servers, phpBB is the ideal free community solution for all web
sites.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


This exploit is an extention of the phpbb 2.0.12 boolean exploit that
can be found here http://www.spywire.net/forum/viewtopic.php?t=781 .

This exploit works because the login allows true boolean strings to 
be entered in place of the password hash and session id.
It allows an attacker to login as any user without having to enter
any authentication by editing a cookie and sending it back to the site.

The bug i discovered is a bug in the user privlage reset.
After trying to exploit a patched forum the user remains as admin, 
even though the forum is patched. The forum fails to reset the 
attackers status to guest after a failed exploit.

The attacker is able to view invisible members and the "admin control
pannel" link

but is unable to navigate the forum as admin.

With some more investigation im certain a critical exploit can be found.
but so far i am unable to keep admin status after clicking another link.

'''''''''''''''''''''''''''
      ][=-tOnk3r-=][
'''''''''''''''''''''''''''

if you have any more info on this bug please notify me
either at m[at]spywire[dot]net
or at www.spywire.net/forum