FYI: Gender Mod Allows Gaining Administrative Privile

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
User avatar
gawan
Registered User
Posts: 23
Joined: Sat Aug 11, 2001 10:01 pm

FYI: Gender Mod Allows Gaining Administrative Privile

Post by gawan »

Just to inform you about securityteam's report at http://www.securiteam.com/unixfocus/5ZP0N2K7PI.html
DPK
Registered User
Posts: 147
Joined: Thu Dec 20, 2001 5:02 am
Contact:

Post by DPK »

In phpBB with the official Gender Mod, there is a vulnerability that allows a normal user set her/himself to become a forum administrator.


Should be unofficial. :p
See those lights up in the distance? That's me; just try and catch up.
User avatar
gawan
Registered User
Posts: 23
Joined: Sat Aug 11, 2001 10:01 pm

Post by gawan »

Yep, I take it that all mods are unofficial but not without value in phpbb community.
R. U. Serious
Registered User
Posts: 830
Joined: Mon Feb 11, 2002 2:07 pm

Post by R. U. Serious »

It's really sad, that the one who found the exploit did not think it was necessary to inform the author. :-/

Also I am really suprised how this error slipped past the eyes of the validators, in spite of their great effort to prevent exactly this kind of thing.

:-/
Kanuck
Former Team Member
Posts: 2791
Joined: Thu Jul 05, 2001 9:33 pm
Location: Toronto, Ontario

Post by Kanuck »

It should be made very clear to everybody that we did not write this modification, and it's not phpBB that's at fault, it's only this MOD.

I've e-mailed SecuriTeam.com, asking them to update their posting to reflect that this is not an "official Gender Mod", but rather a third-party modification.
Kanuck
Former phpBB.com team member
User avatar
TC
Former Team Member
Posts: 3633
Joined: Tue Sep 25, 2001 7:23 pm
Location: Kµlt °ƒ Ø, working on my time machine

Post by TC »

R. U. Serious wrote: It's really sad, that the one who found the exploit did not think it was necessary to inform the author. :-/


pathetic, more like it. :evil: or, you know, perhaps phpBB programmers????

christ....like pulling teeth.
.:: 28:Ø6:42:12 ::.
jbay
Registered User
Posts: 18
Joined: Tue Apr 02, 2002 2:27 pm
Contact:

Post by jbay »

wow. I'm glad I didn't install that mod. And I join the chorus of people who think it sucks that they didn't first inform the mod author...this is a very bad trend in security/bug announcements.

Having said that, I wish there was a more foolproof way to prevent someone from gaining elevated privs on the board; maybe hard-code something into the config file that has the allowed usernames for admin & mod privs...because somebody will probably find a way to inject something into sql, if somebody leaves a loophole somewhere.

(I suppose adding an .htaccess to the /admin directory with allowed IP's would work, too...)
User avatar
TC
Former Team Member
Posts: 3633
Joined: Tue Sep 25, 2001 7:23 pm
Location: Kµlt °ƒ Ø, working on my time machine

Post by TC »

i'll go ahead an say this, saving others the trouble: 2.2.

8)
.:: 28:Ø6:42:12 ::.
R45
Registered User
Posts: 2830
Joined: Tue Nov 27, 2001 10:42 pm

Post by R45 »

jbay wrote: wow. I'm glad I didn't install that mod. And I join the chorus of people who think it sucks that they didn't first inform the mod author...this is a very bad trend in security/bug announcements.

Having said that, I wish there was a more foolproof way to prevent someone from gaining elevated privs on the board; maybe hard-code something into the config file that has the allowed usernames for admin & mod privs...because somebody will probably find a way to inject something into sql, if somebody leaves a loophole somewhere.

(I suppose adding an .htaccess to the /admin directory with allowed IP's would work, too...)
There are enough proceedures to prevent loophooles. Its for people to take their time when writing MODs, the hole is one of the simplest exploits for inputted data. We are all human though and humans make mistakes.

I agree whoever published the exploit is entirely careless in that manner is entirely careless and needs to learn common sense.
Ashe
Former Team Member
Posts: 642
Joined: Sun Jul 08, 2001 11:38 am

Post by Ashe »

Could Niels Chr Rød confirm he didn't receive anything about the exploit? Maybe the reporter (or someone else...) sent a mail that Niels didn't receive or inadvertly trashed without reading.
romutis
Registered User
Posts: 142
Joined: Wed Jan 30, 2002 9:35 am
Location: Milan, Italy

Post by romutis »

Ashe wrote: Could Niels Chr Rød confirm he didn't receive anything about the exploit? Maybe the reporter (or someone else...) sent a mail that Niels didn't receive or inadvertly trashed without reading.


Niels is on vacation till the end of August. And his forum is hacked through his MOD. :( Cazzo! :x

And i really don't understand people who are pray for MOD authors but blame them in case of any error. :evil:
// Romutis
Stadler
Registered User
Posts: 8
Joined: Sat May 18, 2002 12:04 pm
Location: Kiel, Germany
Contact:

Post by Stadler »

Isn't it worth a newspost or at least an announcement, considering many having installed this mod on their forum and that many forums now 're open for hackers, because the exploit has been published?
Carn
Registered User
Posts: 8
Joined: Sun May 12, 2002 11:42 am
Location: Australia

Post by Carn »

Well my forum got hacked due to the gender mod too. Someone really should have announced this.

I am now using Invision Board due to this. I only found this thread after setting up IB, but it doesn't matter because i was planning to move to IB anyway when 1.1 was released but my plans got spedup due to being exploited through the gender mod.
DBurton
Registered User
Posts: 255
Joined: Fri Aug 03, 2001 6:59 pm

Post by DBurton »

Carn wrote: Well my forum got hacked due to the gender mod too. Someone really should have announced this.

I am now using Invision Board due to this. I only found this thread after setting up IB, but it doesn't matter because i was planning to move to IB anyway when 1.1 was released but my plans got spedup due to being exploited through the gender mod.


So you bring up a dead topic to tell us that you switched to another forum software. What exactly was the point of that? :roll:
User avatar
TC
Former Team Member
Posts: 3633
Joined: Tue Sep 25, 2001 7:23 pm
Location: Kµlt °ƒ Ø, working on my time machine

Post by TC »

Carn wrote: Well my forum got hacked due to the gender mod too. Someone really should have announced this.

the first post in this very thread was a month ago. the website securiteam announced this that day. the mod has been fixed and patches issued.

i mean, what kind of annoucement were you expecting? should Time® magazine be picking this up? Newsweek©? the New York Times™?

bottom line in your personal story is this:

"Hi, I'm Carn. I made modifications to the core of some free software that I have been using which opened me up for hacking. I am now therefore going to blame the developers. I mean, it is afterall, their fault that I decided to make modifications to the core software...."

now, if you claim is that you downloaded and installed this mod because it was made available here and branded "official", check out this thread. oh wait, you have thrown in the towel already, that's right.

have fun with your IB. buh-bye.
.:: 28:Ø6:42:12 ::.
Locked

Return to “2.0.x Discussion”