security flaws in phpBB

what version of phpbb was it running?
was it using the latest version (that fixed the vulnerability against
that worm)?
Nikola Skoric wrote:

I've recently seen a phpbb forum hacked. The hacker removed all
accounts, formed only one admin acc under his control and removed all
articles. How did he do that, anyway? And how can I protect my forums? I
presume programers of phpBB took care of SQL injection and such well
known attacks... so, what can I do as forum admin and (relatively)
skilled PHP/MySQL programer to make sure something like that doesn't
happen to my forum? (ofcourse, I already DO backup my MySQL base every
24 hours)

"Nikola Skoric" <ni*******@net4u.hr> wrote in message
news:MPG.1c5321038a0c63af989a4d@localhost...

I've recently seen a phpbb forum hacked. The hacker removed all
accounts, formed only one admin acc under his control and removed all
articles. How did he do that, anyway? And how can I protect my forums? I
presume programers of phpBB took care of SQL injection and such well
known attacks... so, what can I do as forum admin and (relatively)
skilled PHP/MySQL programer to make sure something like that doesn't
happen to my forum? (ofcourse, I already DO backup my MySQL base every
24 hours)

--
"Now the storm has passed over me
I'm left to drift on a dead calm sea
And watch her forever through the cracks in the beams
Nailed across the doorways of the bedrooms of my dreams"

The reports were very confusing. Initially it was reported that the worm
exploits an buffer overflow in unserialize(). But that was not the case at
all.

I think the vulnerability has something to do the fact that phpBB uses
eval() in its template engine. When user data is not correctly
escaped/filtered, very bad things happen.

Chung Leong wrote:

"Nikola Skoric" <ni*******@net4u.hr> wrote in message
news:MPG.1c5321038a0c63af989a4d@localhost... [snip]
I think the vulnerability has something to do the fact that phpBB uses
eval() in its template engine. When user data is not correctly
escaped/filtered, very bad things happen.

If that is indeed the case, the following comes to mind, Rasmus Lerdorf
(creator of PHP) said: "If eval() is the answer, you're almost certainly
asking the wrong question."

I think using eval() in a highly user-data driven application is a high
risk. It may save a lot of scripting time, but I would not like to build
my stuff around eval() if i can avoid it.

Curious what more is to be said on this topic, phpBB is widespread!

Chung Leong wrote:
<snip>

The reports were very confusing. Initially it was reported that the worm exploits an buffer overflow in unserialize(). But that was not the case at all.
What I understood is that, it was wrongly misunderstood that the
attack was done by stuffing "own made" serialized data via cookies or
so.
I think the vulnerability has something to do the fact that phpBB uses eval() in its template engine. When user data is not correctly
escaped/filtered, very bad things happen.

I've saved the worm source and yet to analyze the stuff. But, my
quick glance at the source and other articles suggests that the problem
is to do with double urldecode.

See.. <http://in2.php.net/urldecode#48481> and
<http://in2.php.net/security-note.php>

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Schraalhans Keukenmeester wrote:

If that is indeed the case, the following comes to mind, Rasmus Lerdorf
(creator of PHP) said: "If eval() is the answer, you're almost certainly
asking the wrong question."

If you need a function that can take a variable number of parameters,
like array_intersect(), and the number of parameters is not known
beforehand, what else can you do except eval()?

I use it like this:
$code = "\$new_array = array_intersect(\$array, " . join(',',
$parameters) . ');';

eval($code);

// do something with $new_array
Are there other ways?

JP

--
Sorry, <de*****@cauce.org> is a spam trap.
Real e-mail address unavailable. 5000+ spams per month.

.oO(Jan Pieter Kunst)

If you need a function that can take a variable number of parameters,
like array_intersect(), and the number of parameters is not known
beforehand, what else can you do except eval()?

call_user_func_array()

Micha

Michael Fesser wrote:

.oO(Jan Pieter Kunst)

If you need a function that can take a variable number of parameters,
like array_intersect(), and the number of parameters is not known
beforehand, what else can you do except eval()?

call_user_func_array()

Micha

Good call. I didn't think of those call_user_func functions. I
associated them only with user defined functions (as is said in the PHP
manual, "Call a user defined function given by function"), but I see
that you can also use them with built-in PHP functions.

JP

--
Sorry, <de*****@cauce.org> is a spam trap.
Real e-mail address unavailable. 5000+ spams per month.

"Michael Fesser" <ne*****@gmx.net> wrote in message
news:fr********************************@4ax.com...

.oO(Jan Pieter Kunst)

If you need a function that can take a variable number of parameters,
like array_intersect(), and the number of parameters is not known
beforehand, what else can you do except eval()?

call_user_func_array()

Micha

call_user_func_array() doesn't pass references. So if you need sort an
unknown number of columns with array_multisort(), eval() is the only way.
Exactly how such a situation could arise I have no idea :-p

>> >If you need a function that can take a variable number of parameters,

>like array_intersect(), and the number of parameters is not known
>beforehand, what else can you do except eval()?

call_user_func_array()

Micha

call_user_func_array() doesn't pass references. So if you need sort an
unknown number of columns with array_multisort(), eval() is the only way.
Exactly how such a situation could arise I have no idea :-p

If number of columns (arguments) has limited range, you could use switch()
with set of statements.

--
* html {redirect-to: url(http://browsehappy.pl);}

"Schraalhans Keukenmeester" <vo******@hetepost.com> wrote in message
news:41**********************@news.xs4all.nl...

Chung Leong wrote:

"Nikola Skoric" <ni*******@net4u.hr> wrote in message
news:MPG.1c5321038a0c63af989a4d@localhost...

[snip]

I think the vulnerability has something to do the fact that phpBB uses
eval() in its template engine. When user data is not correctly
escaped/filtered, very bad things happen.

If that is indeed the case, the following comes to mind, Rasmus Lerdorf
(creator of PHP) said: "If eval() is the answer, you're almost certainly
asking the wrong question."

I think using eval() in a highly user-data driven application is a high
risk. It may save a lot of scripting time, but I would not like to build
my stuff around eval() if i can avoid it.

Curious what more is to be said on this topic, phpBB is widespread!

I dug around a little in viewtopic.php (the vulnerable page) and found this
line:

$message = str_replace('\"', '"',
substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b("
.. $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3']
.. "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

Look very closely. The second occurence of preg_replace actually puts
"preg_replace(...)" into $message. The variable clearly is going to be
eval() a some later time. If $highlight_match is not escaped correctly, then
arbituary PHP code can be introduced.

The following block sets up $highlight_match:

if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));

for($i = 0; $i < sizeof($words); $i++)
{
if (trim($words[$i]) != '')
{
$highlight_match .= (($highlight_match != '') ? '|' : '') .
str_replace('*', '\w*', phpbb_preg_quote($words[$i], '#'));
}
}
unset($words);

$highlight = urlencode($HTTP_GET_VARS['highlight']);
}
So it's definitely coming from the request.

Jan Pieter Kunst wrote:

Schraalhans Keukenmeester wrote:

If that is indeed the case, the following comes to mind, Rasmus
Lerdorf (creator of PHP) said: "If eval() is the answer, you're almost
certainly asking the wrong question."

If you need a function that can take a variable number of parameters,
like array_intersect(), and the number of parameters is not known
beforehand, what else can you do except eval()?

[snip - what to use instead of eval with unknown num of params ?]
Are there other ways?

JP

int func_num_args()
mixed func_get_arg(int arg_num)
array func_get_args()

SK