Easily and Remotely Pipe a Covert Shell on phpBB version 1.4.0 and below

From:	 <kill-9@modernhackers.com>
To:	 bugtraq@securityfocus.com
Subject: Easily and Remotely Pipe a Covert Shell on phpBB version 1.4.0 and below
Date:	 10 Aug 2001 07:20:48 -0000

note to editors: please leave all links intact.
###########################################
########
Easily and Remotely Pipe a Covert Shell on phpBB 
version 1.4.0 and below

found and written by: kill-9@modernhacker.com
http://www.modernhacker.com



phpBB, is an open source bulletin board created by 
the phpBB group (phpbb.com) . Versions 1.4.0 and 
below are vulnerable to an input validation attack that 
will allow arbitray code to be executed by an attacker. 
This will lead to disclosure of all user account 
information, access to the admin panel, and a 
simulated covert shell on the server running phpBB. 
A user may then elevate his privileges in the system.

The problem is in the fact that in the prefs.php file, 
phpBB does not properly check user input for the 
language selection. The language selection for the 
user is inputted through a drop-down box and then 
saved in the database. The language selection is 
then processed during execution of auth.php to 
include the appropriate language file.

<example code from auth.php>

// Include the appropriate language file.
if(!strstr($PHP_SELF, "admin"))
{
   include('language/lang_'.$default_lang.'.'.$phpEx);
}
else
{
   if(strstr($PHP_SELF, "topicadmin")) {
     include('language/lang_'.$default_lang.'.'.$phpEx);
	} else {
     include
('../language/lang_'.$default_lang.'.'.$phpEx);
	}
}
</end example code>

If a user supplies an invalid language value, then no 
language file will be included. This is very bad 
becuase there are a few important variables that are 
defined in the language file that are passed through 
the eval() function. Therefore a user can supply his 
value that will get eval'ed if no language file is included

In the page_header.php file such a situation exists 
where if a registered user has a private message in 
his box , then the $l_privnotify variable that is 
supposed to be defined in the language file can be 
processed as arbitrary php code becuase it passes 
through the eval() function.


<example code from page_header.php>

if ($new_message != 0)
			{
				eval
($l_privnotify);
				print 
$privnotify;
			}

</end example code>


I have provided code for testing purposes that will 
pipe back a covert shell to a netcat listener. Use the 
backdoor edition, and set the variable to l_privnotify.


Summary:

1. Register an account on phpBB 1.4.0 or any older 
version and login.

2. Enter the following url to change the language to an 
invalid one: prefs.php?HTTP_POST_VARS[save]
=1&save=1&viewemail=1&lang=../../

3. Send yourself a private message.

4. Set the first part of the vhak backdoor edition 
to: "prefs.php?l_privnotify=" and you will gain an 
interactive shell to the system. It can be found at: 
http://www.modernhacker.com/vhak.php 

You may only use vhak for the legal purpose of 
testing your own board for this vulnerability.


Note: phpBB team has known about this vulnerability 
and failed to alert the public. Their acknoledgement is 
seen in the 1.4.1 source code comments.

###########################################
########