PHPBB Remote Code Execution Vulnerability, affects 2.0.17 and below

Sorccu · December 25th, 2005, 1:11 PM

I tried to post this to Critical Application Upgrades, but it seems that either something went wrong or I do not have the appropriate permissions. Anyway:

In case you don't know already, a new phpbb vulnerability has been discovered. Apparently there is a worm out there that takes advantage of this vulnerability, and yesterday a working exploit was published. All versions prior to 2.0.18 are affected.

Read more from phpbb.com: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=348139

More about the vulnerability/ies: http://www.hardened-php.net/advisory_172005.75.html

Quote:

[1] Within usercp_register.php the variable 'error_msg' is not
properly initialised and can therefore be used to inject
arbitrary HTML code

[2] Within login.php the variable 'forward_page' is not properly
initialised and can be used to inject arbitrary HTML code

[3] Within search.php the variable 'list_cat' is not properly
initialised and can be used to inject arbitrary HTML

[4] Within usercp_register.php the variable 'signature_bbcode_uid'
is not properly initialised and can be used for SQL injection
of arbitrary 'field=xxx' statements into queries operating
on the user table, when magic_quotes_gpc is turned off.

[5] The same variable [4] can be used to inject f.e. the 'e'
modifier into the first parameter of a preg_replace()
statement, which means, that the second parameter is
evaluated as PHP code. Because the second parameter is
entirely filled with the user supplied signature, it is
possible to execute any PHP code. This can be exploited,
no matter if magic_quotes_gpc is turned on or off, just
2 different code paths need to be triggered.

**David** · December 25th, 2005, 1:43 PM

http://www.surmunity.com/showpost.ph...44&postcount=4

**Kayla** · December 25th, 2005, 1:51 PM

I am speechless.

**David** · December 25th, 2005, 1:53 PM

I just moved everything around in there, made his post visible, stuckied it, unstuckied yours, etc.

Sorccu · December 26th, 2005, 8:49 AM

You are so not going to like this, but I just noticed that I forgot to mention that the exploit only affects systems running PHP5 (<= 5.0.5). This requirement was mentioned in both the exploit and the advisory, but still, I should've made it clear. I'm very sorry for this.

However, WebDev customers might still be in danger (I do not know the exact version they're using), and dedicated server owners who are using a vulnerable version should be warned.

I would edit the Critical Application Upgrades thread to include "*** IF YOUR SERVER IS RUNNING PHP5 ***", but I can't.

My apologies. But hey, atleast the panic is over!

**David** · December 26th, 2005, 10:02 AM

Eh, don't worry about it. As long as it keeps people updated, I'm good with it.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

December 25th, 2005, 1:51 PM	#3 (permalink)
Kayla Marketing Maven Surpass Staff Joined in May 2003 Lives in Orlando 24,749 posts Gave thanks: 946 Thanked 806 times	I am speechless.

December 26th, 2005, 8:49 AM	#5 (permalink)
Sorccu Registered User Fresh Surpasser Joined in Sep 2004 5 posts Gave thanks: 0 Thanked 0 times	You are so not going to like this, but I just noticed that I forgot to mention that the exploit only affects systems running PHP5 (<= 5.0.5). This requirement was mentioned in both the exploit and the advisory, but still, I should've made it clear. I'm very sorry for this. However, WebDev customers might still be in danger (I do not know the exact version they're using), and dedicated server owners who are using a vulnerable version should be warned. I would edit the Critical Application Upgrades thread to include "* IF YOUR SERVER IS RUNNING PHP5 *", but I can't. My apologies. But hey, atleast the panic is over!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)