New exploit in bb forums!! plz read

Private Joined: May 26, 2003 Posts: 47

phpBB Input Validation Flaw in 'profile.php' Lets Remote Users Inject SQL Commands found on 11/8/03

The report indicates that version 2.0.7 is not affected.But all prior versions are effected

http://www.securitytracker.com/alerts/2003/Nov/1008125.html

has there been a released fix for this yet here on NC ??

Posted: Tue Nov 11, 2003 3:11 am

We are aware and are working on it.

See the front page for news on this that was posted yesterday.

Lieutenant Joined: Aug 21, 2003 Posts: 213

Hi all,

What about this fix?

http://www.securiteam.com/unixfocus/6A0042K8UK.html

Best Regards

zanis

Posted: Wed Nov 12, 2003 5:32 am

From our test we found that the fix stated didnt actually work well. I think.
IACOJ will be able to say a little more on this than me.

Lieutenant Joined: Aug 21, 2003 Posts: 213

Hi all,

Thank you for the update Daniel-cmw. Where would the nukecops fix for this security issue be posted on the web site? I have looked at the code that is at issue and it scares me to think it's that exposed to attack!!

Best regards

Zanis

Posted: Thu Nov 13, 2003 5:05 am

It will be posted in the news on the main page of this site.
For a temp fix, chmod the folder /modules/Forums/admin to 000
This means nobody will be able to access it, even you until it is chmod back again.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Yes its a tough week this one. The main coders, myself and chatserv are out of commission. CS has been gone for a couple weeks now unfortunately. I'm out this week due to Cisco training, not to mention IACOJ are working on starting our lives together. IACOJ is another main coder along with mikem, and they were working on this bug with the rest of our support staff. However... its a real bad week for us all.

I'll be free again this weekend.

But let me state... I am not completely satisfied with this new exploit. I ran some tests earlier in the week without any successful break-ins.

What does this mean?

Well, we really don't have a working valid exploit. This means we really don't have anything to "patch" correctly.

We're inspecting all code, and testing what we can. This is why our patch is late in going public, because we don't really have the actual exploit.

Now if someone would care to share that with us, it would greatly improve our patch release time.

Private Joined: May 26, 2003 Posts: 47

well this is all i know on it..

Code:

Example:
http://www.example.com/forum/profile.php?mode=viewprofile&u=2

This URL shows the information for the user with the uid = 2 (the uid is a number assigned to users in phpBB). The content of the 'u' variable isn't filtered for malicious contents.

An attacker could inject arbitrary SQL commands into the system's database.

Example:
http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode]

this is the best example i can give ya zhen Confused

Posted: Fri Nov 14, 2003 3:13 am

I have tried hacking my productions site and numerous test sites on my PC with no luck.

Ill have another go in a minute but as yet that method doesnt seem to do a thing with nuke.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Yes that is all we have too, but we are unable, like Daniel said, to duplicate it.