R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Sunday, 26th October 2014 @ 02:52:56 GMT 
Reports | Privilege Escalation Vulnerability on phpBB 2.0.0
{2nd Aug 2002}

On August 25th 2002 Rootsecure.net discovered a privilege escalation vulnerability in "phpBB 2.0.0" (Powered by phpBB 2.0.0 2001 phpBB Group) which allows any person with a "user" level account to escalate their privileges to that of "administrator" level, and therefore gain full unrestrictive control of a forum. 

A coding error exists in the admin_ug_auth.php script (used to set permissions), so although admin rights are needed to view the page, anyone can post data back to it "no questions asked". Therefore, if you already know what kind of response the board is looking for, you can go straight ahead and tell it directly that you want to give admin rights to a specific account.

Update: Modified/hacked versions of phpBB (e.g. the phpbbnuke port for phpnuke55/56) are also thought to be open to Rootsecure.net's phpBB exploit.
See securityfocus.com for details.

Download Proof Of Concept Code:

HTML Version

Before using the proof of concept code you must first find out two bits of information:

1. The base directory of the board, (usually something like http://www.mydomain.com/phpBB2), which is found by taking off index.php from the main page URL.
2. The user number of the account you wish to give admin. To do this go to the forums member list page, click your username, then note down the number shown at the right end of the URL you are now at. (if no users have been deleted from the board, then the number next to your username on the members list page under the "#" column will also be your true user number).

If you are using the HTML based code ensure you log out from the board first. (otherwise, you will get a permissions error)

When run, if the exploit is successful, on your next login, there will be a link at the bottom of every board page saying "Go to Administration Panel" and additional options on screen when you are viewing a specific thread to enable you to edit, delete, lock individual posts/threads etc. 

Note: phpBB versions above 2.0.0 are not vulnerable.