Results 1 to 3 of 3

Thread: PHPBB 2.0.16 Released (< 2.0.16 vulnerable)

  1. #1
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356

    PHPBB 2.0.16 Released (< 2.0.16 vulnerable)

    phpBB 2.0.16 Fixes a Critical Security Issue

    If you're using the popular phpBB bulletin board package, it's time to upgrade. Version 2.0.16, released earlier this week, fixes a critical security issue that can lead to the compromise of the vulnerable web server. The problem is with the viewtopic.php script, which, according to the FrSIRT advisory, fails to properly validate input when processing the "highlight" parameter. A similar vulnerability was being exploited by the Santy worm to deface web sites about half a year ago, as we reported in the December 21, 2004 diary. Please update your copy of phpBB to help prevent another such worm from gaining steam.

    For information about the phpBB 2.0.16 release, see the phpBB Group announcement. You can get the updated package from their downloads page. (Thanks to ISC reader Ronaldo for discussing the implications of this issue with us.)
    (from http://www.incidents.org)

    PHPBB group announcement: http://www.phpbb.com/phpBB/viewtopic.php?t=302011
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    For those of you that are lazy, I had to update 6 sites that had the vulnerable viewtopic.php tonight... I've just applied their hotfix instead of the update... since it supposedly fixes the vuln...

    I've added it here.... for those of you that don't want to update yourself.. just upload this one over top (it's from 2.0.15)... rename it to .php


    Peace,
    HT

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    It appears to me that this vulnerability allows arbitrary PHP code execution on the server, hence is extremely serious.

    I can see how that exploit works, and how such a thing could be missed by the coders. Illustrates the danger of ludicrously unreadable code such as this:

    PHP Code:
    // This was shamelessly 'borrowed' from volker at multiartstudio dot de
                    // via php.net's annotated manual
                    
    $message str_replace('\"''"'substr(preg_replace('#(\&gt;(((?&gt;([^&gt;&lt;]+|(?R)))*)\&lt;))#se'"preg_replace('#\b(" $highlight_match ")\b#i', '&lt;span style=\"color:#" $theme['fontcolor3'] . "\"&gt;&lt;b&gt;\\\\1&lt;/b&gt;&lt;/span
    &gt;', '\\0')"
    '&gt;' $message '&lt;'), 1, -1)); 
    Not only is it extremely difficult to see what this does exactly, but it also happens to have this amazingly serious vulnerability

    I *think* that the "e" modifier inside the preg_replace string "#se", means that the replaced string is evaluated as PHP code.

    In fact this uses self-writing code, as the replacement

    Code:
    "preg_replace('#\b(" . $highlight_match . ")\b#i', '&lt;span style=\"color:#" . $theme['fontcolor3'] . "\"&gt;&lt;b&gt;\\\\1&lt;/b&gt;&lt;/span&gt;', '\\0')", '&gt;' . $message . '&lt;'
    Is itself a piece of PHP code, which of course can be trivially injected with PHP from $message

    What a total nightmare.

    Makes me wonder how exactly that was found - I certainly wouldn't have spotted it.

    Slarty

    PS: above may be entirely wrong, just my basic analysis.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •