COMMAND

    phpBB

SYSTEMS AFFECTED

    phpBB version 1.4.0 and below

PROBLEM

    'kill-9'  found  following.   phpBB,  is  an  open source bulletin
    board created by the phpBB group (phpbb.com) . Versions 1.4.0  and
    below  are  vulnerable  to  an  input  validation attack that will
    allow arbitray  code to  be executed  by an  attacker.   This will
    lead to disclosure of all user account information, access to  the
    admin panel, and  a simulated covert  shell on the  server running
    phpBB.  A user may then elevate his privileges in the system.

    The  problem  is  in  the  fact  that in the prefs.php file, phpBB
    does not  properly check  user input  for the  language selection.
    The  language  selection  for  the  user  is  inputted  through  a
    drop-down  box  and  then  saved  in  the  database.  The language
    selection  is  then  processed  during  execution  of  auth.php to
    include the appropriate language file.

    Example code from auth.php:

        // Include the appropriate language file.
        if(!strstr($PHP_SELF, "admin"))
        {
           include('language/lang_'.$default_lang.'.'.$phpEx);
        }
        else
        {
           if(strstr($PHP_SELF, "topicadmin")) {
             include('language/lang_'.$default_lang.'.'.$phpEx);
	        } else {
             include
        ('../language/lang_'.$default_lang.'.'.$phpEx);
	        }
        }

    If a  user supplies  an invalid  language value,  then no language
    file will be included.  This  is very bad becuase there are  a few
    important variables  that are  defined in  the language  file that
    are passed  through the  eval() function.   Therefore a  user  can
    supply his  value that  will get  eval'ed if  no language  file is
    included.

    In the  page_header.php file  such a  situation exists  where if a
    registered  user  has  a  private  message  in  his  box, then the
    $l_privnotify  variable  that  is  supposed  to  be defined in the
    language file can  be processed as  arbitrary php code  becuase it
    passes through the eval() function.

    Example code from page_header.php:

        if ($new_message != 0)
			        {
				        eval
        ($l_privnotify);
				        print
        $privnotify;
			        }

    'kill-9' has  provided code  for testing  purposes that  will pipe
    back  a  covert  shell  to  a  netcat  listener.  Use the backdoor
    edition, and set the variable to l_privnotify.

    So,
    1. Register  an account  on phpBB  1.4.0 or  any older version and
       login.
     2. Enter the following url  to change the language to  an invalid
        one: prefs.php?HTTP_POST_VARS[save]=1&save=1&viewemail=1&lang=../../
     3. Send yourself a private message.
     4. Set  the  first  part  of  the  vhak  backdoor  edition    to:
        "prefs.php?l_privnotify="  and  you  will  gain an interactive
        shell to the system.  It can be found at:

        http://www.modernhacker.com/vhak.php

    You may only use  vhak for the legal  purpose of testing your  own
    board for this vulnerability.

SOLUTION

    phpBB team has known about this vulnerability and failed to  alert
    the public.   Their acknoledgement  is seen  in the  1.4.1  source
    code comments.