RE: Want Some Opinions

[Replies] [Reply] [View by Thread] [Help]
[Back To Security]

Ker JeiAr

www.gulftech.org/images/brute.jpg

You are in my opinion absolutely right. but there is a bigger more serious issue.

1) There is a SQL Injection vuln in an admin module. Attacker #1 wants to take over the site but does not have admin access to exploit this vuln.

2) attacker #1 crafts a uri to exolit the issue and grant himself admin acess.

3) since attacker #1 does not have admin access he relies on phpBB's lack of session ID's to make a post that looks something like this

-----------------------

-----------------------

4) Now the attacker has done two things. Successfully executed a command or query just like he was an admin, and had the admin/mod delete his initial post just by viewing it thus eliminating the evidence.

I think if you see how flawed phpBB's logic of this situation is then email them and/or post on thier forum telling them you wanta SECURE php installation :)

GulfTech Security Research
SubScan 1.2

Replies:

phpBB 2.0.7a And Earlier Security Issues - Ker JeiAr 2004-03-22 04:23:47
- Some Fixes For These Issues - Ret. Ker JeiAr 2004-03-25 12:11:30
  - sweet man :) - LtKer Semper 2004-03-25 16:48:09
    - RE: sweet man :) - Ret. Ker JeiAr 2004-03-25 19:01:33
- Hmmmm ... - Ker JeiAr 2004-03-23 20:40:47
  - Hah. - Lt Obscurity 2004-03-24 03:17:41
- Want Some Opinions - Ker JeiAr 2004-03-23 05:18:00
  - RE: Want Some Opinions - Lt Obscurity 2004-03-23 07:46:48
    - I'm with you, they are on crack with this one... - Ret. Mar Ikioi 2004-03-23 11:00:34
      - RE: I'm with you, they are on crack with this one... - Ker JeiAr 2004-03-23 17:14:55
      - Development Teams Reply - Lt Obscurity 2004-03-23 14:19:18
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:17:53
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:31:30
        RE: Development Teams Reply - Lt Obscurity 2004-03-23 17:25:16
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:33:40
        RE: Development Teams Reply - Lt Obscurity 2004-03-23 18:15:38
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 19:39:35
        RE: Development Teams Reply - Lt Obscurity 2004-03-24 03:14:15
      - Posted to their forum... - Ret. Mar Ikioi 2004-03-23 11:37:22
        RE: Posted to their forum... - Ker JeiAr 2004-03-23 17:49:48
        Argh if someone could delete the post previous - Lt Obscurity 2004-03-23 11:50:55
        Done :) - Ret. Ker JeiAr 2004-03-24 05:31:16
        Hah thanks... - Lt Obscurity 2004-03-24 06:04:35
    - >RE: Want Some Opinions - Ker JeiAr 2004-03-23 08:05:01 <
      - To be honest... - Lt Obscurity 2004-03-23 08:21:38
        RE: To be honest... - Ker JeiAr 2004-03-23 08:32:53
        RE: To be honest... - Lt Obscurity 2004-03-23 08:40:09
        RE: To be honest... - Ker JeiAr 2004-03-23 08:54:05
        RE: To be honest... - Lt Obscurity 2004-03-23 09:07:57
        'respond' :D -nt- - LtKer Bastian 2004-03-23 11:16:40
        RE: To be honest... - Maj zaydana 2004-03-23 09:25:26
        GPL... just fork it. ;) -nt- - Ret. Mar Ikioi 2004-03-23 11:39:41
        Ikioi [more] - Lt Obscurity 2004-03-24 10:21:14

Guest:
Subject:
Message:	On 2004-03-23 08:05:01, JeiAr wrote >You are in my opinion absolutely right. but there is a bigger more serious issue. > >1) There is a SQL Injection vuln in an admin module. Attacker #1 wants to take over the site but does not have admin access to exploit this vuln. > >2) attacker #1 crafts a uri to exolit the issue and grant himself admin acess. > >3) since attacker #1 does not have admin access he relies on phpBB's lack of session ID's to make a post that looks something like this > >----------------------- >[img]malciousqueryoradmincommandhere[/img] >[img]thecommandtodeletethisposttoeliminateevidencehere[/img] >----------------------- > >4) Now the attacker has done two things. Successfully executed a command or query just like he was an admin, and had the admin/mod delete his initial post just by viewing it thus eliminating the evidence. > > >I think if you see how flawed phpBB's logic of this situation is then email them and/or post on thier forum telling them you wanta SECURE php installation :)
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.01052 seconds