[ Predrag Damnjanovic @ 27.01.2005. 17:17 ] @
Ne znam u koji forum ovo da post-ujem... valjda ovo vise pripada PHP-u nego security-ju...
Mozda nekome bude od pomoci, ako su mu 'otimali' forum...

Da ne prevodim... valjda razumete toliko engleski...

---------

http://www.securityfocus.com/archive/1/388423

-------------------------
To: BugTraq
Subject: List of all admin accounts in phpBB
Date: Jan 25 2005 10:48PM
Author: Predrag Damnjanovic <bugtraq mycity co yu>
Message-ID: <41F6DAC4.1028.21160EF@localhost>
-------

After discovering 'highlight' vulnerability in phpBB, many forums were patched, but... it is possible that attackers created a [secret] admin accounts...
It is very hard to find secret admin accounts if the forum has too many users... you must check every account...

So, here is a simple PHP script, that will show a list of all admin accounts on your phpBB forum.
Just simply copy this file to phpBB directory...

file admin_list.php :
Code:

<?
// Copy this file to phpBB directory (where is config.php file)
// Author: Predrag Damnjanovic     Email: peca at mycity . co . yu     
// Homepage: http://www.mycity.co.yu/

define('IN_PHPBB', true);
$phpbb_root_path = './';
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);

// Start session management
$userdata = session_pagestart($user_ip, PAGE_INDEX);
init_userprefs($userdata);

// if you want that only admin can open this script
// if (isset($userdata['user_id'])==FALSE || intval($userdata['user_id'])==-1 || 
// intval($userdata['user_level'])!=1) exit;

echo "<html><body bgcolor=\"#E5E5E5\">List of admin accounts :<br>";

    $result = mysql_query ("SELECT username from ".USERS_TABLE." where user_level=1;");
    if (mysql_errno()>0) die (mysql_error());
    while ($row = mysql_fetch_array($result, MYSQL_ASSOC))
        echo "<b>".$row['username']."</b><br/>\n";
    mysql_free_result($result);

echo "</body></html>";
?>


Use this PHP script to be sure that your forum doesn't have secret admin accounts.

If you find attacker admin accounts, you should remove admin status from those accounts...
Then you can delete this script, and of course, you should upgrade your phpBB to the latest version [if you already didn't].

A demonstration of this script can be found at
http://www.mycity.co.yu/phpbb/admin_list.php

Of corse, there is alternative way to check a list of admin accounts... just use SQL query [via phpmyadmin, or some SQL frontend client]: SELECT username FROM phpbb_users WHERE user_level=1;

Best regards,
Predrag Damnjanovic
http://www.mycity.co.yu/

[Ovu poruku je menjao Predrag Damnjanovic dana 27.01.2005. u 21:48 GMT+1]