June 29th, 2005, 10:46 PM
PHPBB 2.0.16 Released (< 2.0.16 vulnerable)
phpBB 2.0.16 Fixes a Critical Security Issue
If you're using the popular phpBB bulletin board package, it's time to upgrade. Version 2.0.16, released earlier this week, fixes a critical security issue that can lead to the compromise of the vulnerable web server. The problem is with the viewtopic.php script, which, according to the FrSIRT advisory, fails to properly validate input when processing the "highlight" parameter. A similar vulnerability was being exploited by the Santy worm to deface web sites about half a year ago, as we reported in the December 21, 2004 diary. Please update your copy of phpBB to help prevent another such worm from gaining steam.
For information about the phpBB 2.0.16 release, see the phpBB Group announcement. You can get the updated package from their downloads page. (Thanks to ISC reader Ronaldo for discussing the implications of this issue with us.)
PHPBB group announcement: http://www.phpbb.com/phpBB/viewtopic.php?t=302011
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
July 1st, 2005, 08:05 AM
For those of you that are lazy, I had to update 6 sites that had the vulnerable viewtopic.php tonight... I've just applied their hotfix instead of the update... since it supposedly fixes the vuln...
I've added it here.... for those of you that don't want to update yourself.. just upload this one over top (it's from 2.0.15)... rename it to .php
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
July 1st, 2005, 12:24 PM
It appears to me that this vulnerability allows arbitrary PHP code execution on the server, hence is extremely serious.
I can see how that exploit works, and how such a thing could be missed by the coders. Illustrates the danger of ludicrously unreadable code such as this:
Not only is it extremely difficult to see what this does exactly, but it also happens to have this amazingly serious vulnerability
// This was shamelessly 'borrowed' from volker at multiartstudio dot de
// via php.net's annotated manual
$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span
>', '\\0')", '>' . $message . '<'), 1, -1));
I *think* that the "e" modifier inside the preg_replace string "#se", means that the replaced string is evaluated as PHP code.
In fact this uses self-writing code, as the replacement
Is itself a piece of PHP code, which of course can be trivially injected with PHP from $message
"preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'
What a total nightmare.
Makes me wonder how exactly that was found - I certainly wouldn't have spotted it.
PS: above may be entirely wrong, just my basic analysis.