"Schraalhans Keukenmeester" <vo******@hetepost.com> wrote in message
news:41**********************@news.xs4all.nl...
Chung Leong wrote: "Nikola Skoric" <ni*******@net4u.hr> wrote in message
news:MPG.1c5321038a0c63af989a4d@localhost...
[snip]
I think the vulnerability has something to do the fact that phpBB uses
eval() in its template engine. When user data is not correctly
escaped/filtered, very bad things happen.
If that is indeed the case, the following comes to mind, Rasmus Lerdorf
(creator of PHP) said: "If eval() is the answer, you're almost certainly
asking the wrong question."
I think using eval() in a highly user-data driven application is a high
risk. It may save a lot of scripting time, but I would not like to build
my stuff around eval() if i can avoid it.
Curious what more is to be said on this topic, phpBB is widespread!
I dug around a little in viewtopic.php (the vulnerable page) and found this
line:
$message = str_replace('\"', '"',
substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b("
.. $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3']
.. "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
Look very closely. The second occurence of preg_replace actually puts
"preg_replace(...)" into $message. The variable clearly is going to be
eval() a some later time. If $highlight_match is not escaped correctly, then
arbituary PHP code can be introduced.
The following block sets up $highlight_match:
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
if (trim($words[$i]) != '')
{
$highlight_match .= (($highlight_match != '') ? '|' : '') .
str_replace('*', '\w*', phpbb_preg_quote($words[$i], '#'));
}
}
unset($words);
$highlight = urlencode($HTTP_GET_VARS['highlight']);
}
So it's definitely coming from the request.