CVE-2005-0603 - Visional Missile

Description

viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter containing invalid regular expression syntax which reveals the path in a PHP error message.

Reference

http://neossecurity.net/Advisories/Advisory-06.txt http://www.phpbb.com/phpBB/viewtopic.php?t=267563 http://secunia.com/advisories/14413 http://marc.info/?l=bugtraq&m=110943646112950&w=2

Exploit

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0603 ——————————————————– [N]eo [S]ecurity [T]eam [NST]® - Advisory #06 - 25/02/05 ——————————————————– Program: phpBB 2.0.12 Homepage: http://www.phpbb.com Vulnerable Versions: phpBB 2.0.12 & Lower versions Risk: Low Risk!! Impact: Full path disclosure

  -==phpBB 2.0.12 Full path disclosure==- ---------------------------------------------------------

• Description

  phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.

• Tested

  localhost & many forums

• Explotation

  phpBB/viewtopic.php?p=6&highlight=[HaCkZaTaN]

It’ll come out something like this.

Warning: Compilation failed: missing terminating ] for character class at offset 20 in /home/nst/forum/viewtopic.php(1110) : regexp code on line 1

It’ll give a full path disclosure and also one thing that i noticed is that the posts change it doesn’t come out nothing. In the HighLight Variable

Here is the problem: —–[ Start Vuln Code ] ————————————

1106: if ($highlight_match) 1107: { 1108: // This was shamelessly ‘borrowed’ from volker at multiartstudio dot de 1109: // via php.net’s annotated manual 1110: $message = str_replace(‘"’, ‘”’,
substr(preg_replace(‘#(>(((?>([^><]+|(?R)))*)<))#se’, “preg_replace(‘#\b(“ .
$highlight_match . “)\b#i’, ‘<span style="color:#” . $theme[‘fontcolor3’] .
“">\\1</span>’, ‘\0’)”, ‘>’ . $message . ‘<’), 1, -1)); 1111: }

—–[ Ends Vulns Code ] ———————————— Don’t borrow stuff lol.

• Exploit

  Not Yet xD

• Solutions

  Not Yet xD

OK other thing that i noticed was in php.ini

magic_quotes_gpc = On magic_quotes_sybase = Off

you have to turn both of them ON

• References

  http://neossecurity.net/Advisories/Advisory-06.txt

• Credits

  Discovered by HaCkZaTaN [email protected]

[N]eo [S]ecurity [T]eam [NST]® - http://neossecurity.net/

Got Questions? http://neossecurity.net/

Irc.InfoGroup.cl #neosecurityteam

• Greets

       Paisterist
       T0wn3r
   Heap
       Nitrous
       CrashCool
       eL_mEsIaS
       Makoki
  
       And my Colombian people