Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

security flaws in phpBB

Nikola Skoric
Guest
  
Posts: n/a
#1: Jul 17 '05
I've recently seen a phpbb forum hacked. The hacker removed all
accounts, formed only one admin acc under his control and removed all
articles. How did he do that, anyway? And how can I protect my forums? I
presume programers of phpBB took care of SQL injection and such well
known attacks... so, what can I do as forum admin and (relatively)
skilled PHP/MySQL programer to make sure something like that doesn't
happen to my forum? (ofcourse, I already DO backup my MySQL base every
24 hours)

--
"Now the storm has passed over me
I'm left to drift on a dead calm sea
And watch her forever through the cracks in the beams
Nailed across the doorways of the bedrooms of my dreams"

Jonne
Guest
  
Posts: n/a
#2: Jul 17 '05

re: security flaws in phpBB

what version of phpbb was it running?
was it using the latest version (that fixed the vulnerability against
that worm)?
Nikola Skoric wrote:[color=blue]
> I've recently seen a phpbb forum hacked. The hacker removed all
> accounts, formed only one admin acc under his control and removed all
> articles. How did he do that, anyway? And how can I protect my forums? I
> presume programers of phpBB took care of SQL injection and such well
> known attacks... so, what can I do as forum admin and (relatively)
> skilled PHP/MySQL programer to make sure something like that doesn't
> happen to my forum? (ofcourse, I already DO backup my MySQL base every
> 24 hours)
>[/color]
Chung Leong
Guest
  
Posts: n/a
#3: Jul 17 '05

re: security flaws in phpBB


"Nikola Skoric" <nick-news@net4u.hr> wrote in message
news:MPG.1c5321038a0c63af989a4d@localhost...[color=blue]
> I've recently seen a phpbb forum hacked. The hacker removed all
> accounts, formed only one admin acc under his control and removed all
> articles. How did he do that, anyway? And how can I protect my forums? I
> presume programers of phpBB took care of SQL injection and such well
> known attacks... so, what can I do as forum admin and (relatively)
> skilled PHP/MySQL programer to make sure something like that doesn't
> happen to my forum? (ofcourse, I already DO backup my MySQL base every
> 24 hours)
>
> --
> "Now the storm has passed over me
> I'm left to drift on a dead calm sea
> And watch her forever through the cracks in the beams
> Nailed across the doorways of the bedrooms of my dreams"[/color]

The reports were very confusing. Initially it was reported that the worm
exploits an buffer overflow in unserialize(). But that was not the case at
all.

I think the vulnerability has something to do the fact that phpBB uses
eval() in its template engine. When user data is not correctly
escaped/filtered, very bad things happen.
Schraalhans Keukenmeester
Guest
  
Posts: n/a
#4: Jul 17 '05

re: security flaws in phpBB

Chung Leong wrote:[color=blue]
> "Nikola Skoric" <nick-news@net4u.hr> wrote in message
> news:MPG.1c5321038a0c63af989a4d@localhost...[/color]
[snip][color=blue]
>
> I think the vulnerability has something to do the fact that phpBB uses
> eval() in its template engine. When user data is not correctly
> escaped/filtered, very bad things happen.
>
>[/color]
If that is indeed the case, the following comes to mind, Rasmus Lerdorf
(creator of PHP) said: "If eval() is the answer, you're almost certainly
asking the wrong question."

I think using eval() in a highly user-data driven application is a high
risk. It may save a lot of scripting time, but I would not like to build
my stuff around eval() if i can avoid it.

Curious what more is to be said on this topic, phpBB is widespread!
R. Rajesh Jeba Anbiah
Guest
  
Posts: n/a
#5: Jul 17 '05

re: security flaws in phpBB

Chung Leong wrote:
<snip>[color=blue]
> The reports were very confusing. Initially it was reported that the[/color]
worm[color=blue]
> exploits an buffer overflow in unserialize(). But that was not the[/color]
case at[color=blue]
> all.[/color]

What I understood is that, it was wrongly misunderstood that the
attack was done by stuffing "own made" serialized data via cookies or
so.
[color=blue]
> I think the vulnerability has something to do the fact that phpBB[/color]
uses[color=blue]
> eval() in its template engine. When user data is not correctly
> escaped/filtered, very bad things happen.[/color]

I've saved the worm source and yet to analyze the stuff. But, my
quick glance at the source and other articles suggests that the problem
is to do with double urldecode.

See.. <http://in2.php.net/urldecode#48481> and
<http://in2.php.net/security-note.php>

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
Jan Pieter Kunst
Guest
  
Posts: n/a
#6: Jul 17 '05

re: security flaws in phpBB

Schraalhans Keukenmeester wrote:
[color=blue]
> If that is indeed the case, the following comes to mind, Rasmus Lerdorf
> (creator of PHP) said: "If eval() is the answer, you're almost certainly
> asking the wrong question."[/color]

If you need a function that can take a variable number of parameters,
like array_intersect(), and the number of parameters is not known
beforehand, what else can you do except eval()?

I use it like this:


$code = "\$new_array = array_intersect(\$array, " . join(',',
$parameters) . ');';

eval($code);

// do something with $new_array


Are there other ways?

JP

--
Sorry, <devnull@cauce.org> is a spam trap.
Real e-mail address unavailable. 5000+ spams per month.
Michael Fesser
Guest
  
Posts: n/a
#7: Jul 17 '05

re: security flaws in phpBB

.oO(Jan Pieter Kunst)
[color=blue]
>If you need a function that can take a variable number of parameters,
>like array_intersect(), and the number of parameters is not known
>beforehand, what else can you do except eval()?[/color]

call_user_func_array()

Micha
Jan Pieter Kunst
Guest
  
Posts: n/a
#8: Jul 17 '05

re: security flaws in phpBB

Michael Fesser wrote:[color=blue]
> .oO(Jan Pieter Kunst)
>
>[color=green]
>>If you need a function that can take a variable number of parameters,
>>like array_intersect(), and the number of parameters is not known
>>beforehand, what else can you do except eval()?[/color]
>
>
> call_user_func_array()
>
> Micha[/color]

Good call. I didn't think of those call_user_func functions. I
associated them only with user defined functions (as is said in the PHP
manual, "Call a user defined function given by function"), but I see
that you can also use them with built-in PHP functions.

JP

--
Sorry, <devnull@cauce.org> is a spam trap.
Real e-mail address unavailable. 5000+ spams per month.
Chung Leong
Guest
  
Posts: n/a
#9: Jul 17 '05

re: security flaws in phpBB

"Michael Fesser" <netizen@gmx.net> wrote in message
news:fr8ou0t1ailq46vvrn1dunko0c2q20137f@4ax.com...[color=blue]
> .oO(Jan Pieter Kunst)
>[color=green]
> >If you need a function that can take a variable number of parameters,
> >like array_intersect(), and the number of parameters is not known
> >beforehand, what else can you do except eval()?[/color]
>
> call_user_func_array()
>
> Micha[/color]

call_user_func_array() doesn't pass references. So if you need sort an
unknown number of columns with array_multisort(), eval() is the only way.
Exactly how such a situation could arise I have no idea :-p
porneL
Guest
  
Posts: n/a
#10: Jul 17 '05

re: security flaws in phpBB

>> >If you need a function that can take a variable number of parameters,[color=blue][color=green][color=darkred]
>> >like array_intersect(), and the number of parameters is not known
>> >beforehand, what else can you do except eval()?[/color]
>>
>> call_user_func_array()
>>
>> Micha[/color]
>
> call_user_func_array() doesn't pass references. So if you need sort an
> unknown number of columns with array_multisort(), eval() is the only way.
> Exactly how such a situation could arise I have no idea :-p[/color]

If number of columns (arguments) has limited range, you could use switch()
with set of statements.



--
* html {redirect-to: url(http://browsehappy.pl);}
Chung Leong
Guest
  
Posts: n/a
#11: Jul 17 '05

re: security flaws in phpBB

"Schraalhans Keukenmeester" <voornaam@hetepost.com> wrote in message
news:41ebd887$0$6209$e4fe514c@news.xs4all.nl...[color=blue]
> Chung Leong wrote:[color=green]
> > "Nikola Skoric" <nick-news@net4u.hr> wrote in message
> > news:MPG.1c5321038a0c63af989a4d@localhost...[/color]
> [snip][color=green]
> >
> > I think the vulnerability has something to do the fact that phpBB uses
> > eval() in its template engine. When user data is not correctly
> > escaped/filtered, very bad things happen.
> >
> >[/color]
> If that is indeed the case, the following comes to mind, Rasmus Lerdorf
> (creator of PHP) said: "If eval() is the answer, you're almost certainly
> asking the wrong question."
>
> I think using eval() in a highly user-data driven application is a high
> risk. It may save a lot of scripting time, but I would not like to build
> my stuff around eval() if i can avoid it.
>
> Curious what more is to be said on this topic, phpBB is widespread!
>[/color]

I dug around a little in viewtopic.php (the vulnerable page) and found this
line:

$message = str_replace('\"', '"',
substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b("
.. $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3']
.. "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

Look very closely. The second occurence of preg_replace actually puts
"preg_replace(...)" into $message. The variable clearly is going to be
eval() a some later time. If $highlight_match is not escaped correctly, then
arbituary PHP code can be introduced.

The following block sets up $highlight_match:

if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));

for($i = 0; $i < sizeof($words); $i++)
{
if (trim($words[$i]) != '')
{
$highlight_match .= (($highlight_match != '') ? '|' : '') .
str_replace('*', '\w*', phpbb_preg_quote($words[$i], '#'));
}
}
unset($words);

$highlight = urlencode($HTTP_GET_VARS['highlight']);
}


So it's definitely coming from the request.
Schraalhans Keukenmeester
Guest
  
Posts: n/a
#12: Jul 17 '05

re: security flaws in phpBB

Jan Pieter Kunst wrote:[color=blue]
> Schraalhans Keukenmeester wrote:
>[color=green]
>> If that is indeed the case, the following comes to mind, Rasmus
>> Lerdorf (creator of PHP) said: "If eval() is the answer, you're almost
>> certainly asking the wrong question."[/color]
>
>
> If you need a function that can take a variable number of parameters,
> like array_intersect(), and the number of parameters is not known
> beforehand, what else can you do except eval()?
>[/color]
[snip - what to use instead of eval with unknown num of params ?][color=blue]
>
> Are there other ways?
>
> JP
>[/color]

int func_num_args()
mixed func_get_arg(int arg_num)
array func_get_args()

SK
Closed Thread

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,471 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved