phpBB released version 2.0.11 a few weeks ago to fix some serious security holes. Seems like this forum is still on 2.0.10 (hopefully with at-least the quick-fix applied).
What I'm interested in knowing is -- how on earth can a vulnerability exist for so long that allows people to run whatever PHP code they like by entering it into the querystring? Surely no one ever runs exec() or eval() on anything from $_GET without thorough checks. But I don't believe phpBB even uses those functions, it seems to be part of the preg_replace() stuff perhaps (?). Can anyone explain how code from a querystring can possibly be executed other than via eval() or the execution functions like exec()...?
< Simon >
phpBB Vulnerabilities -- how are they possible?
Moderator: General Moderators
I'll explain briefly.
The vulnerability related to SQL injection based on an un-escaped, un-quoted variable in an sql call.
For example:
Now, ideally, $blah will match up to something, and one row would be returned.
However, if blah were maliciously set to (for example) $blah = '696 OR 1=1', then suddenly, every record is returned, even though it should only be one record.
The key here is that you should never trust user data. The $blah should be typecast, yes, but also cleaned - which is what they added in the fix.
Unfortunately, there are many vulnerabilities like this out there, and they arent always easy to find, let alone fix. Keep in mind that while "simple", phpbb is actually far beyond 10,000 lines of code - no "simple" task to maintain and search line-by-line for vulnerabilities.
The vulnerability related to SQL injection based on an un-escaped, un-quoted variable in an sql call.
For example:
Code: Select all
SELECT * FROM table WHERE something=$blahHowever, if blah were maliciously set to (for example) $blah = '696 OR 1=1', then suddenly, every record is returned, even though it should only be one record.
The key here is that you should never trust user data. The $blah should be typecast, yes, but also cleaned - which is what they added in the fix.
Unfortunately, there are many vulnerabilities like this out there, and they arent always easy to find, let alone fix. Keep in mind that while "simple", phpbb is actually far beyond 10,000 lines of code - no "simple" task to maintain and search line-by-line for vulnerabilities.
Last edited by Roja on Mon Dec 13, 2004 12:00 am, edited 1 time in total.
could be a sophisticated form of sql injection
a hole thats been around for a long time is prob one that is not very obvious,
and unconventional. could be a small hole that is not really directly dangerous, but could be used to exploit other parts of the script which could ultimately lead to allowing an attacker to do thier magic.
it could even be dependant on an (otherwise) harmless bug in the underlying software(php apache mysql etc...)
a hole thats been around for a long time is prob one that is not very obvious,
and unconventional. could be a small hole that is not really directly dangerous, but could be used to exploit other parts of the script which could ultimately lead to allowing an attacker to do thier magic.
it could even be dependant on an (otherwise) harmless bug in the underlying software(php apache mysql etc...)
Thanks for the responses so far, however the bugs aren't SQL-injection, they allow PHP code execution... (Which is MUCH worse.)
My forum was hacked by someone doing something like...
The dots represent special escape characters which exploit the vulnerability and I won't go into them here. But how on earth is this code actually executed? I just read somewhere that preg_replace() has an "e" switch which does evaluations. Am just gonna read up on that now...
< Simon >
My forum was hacked by someone doing something like...
Code: Select all
http://abcdefg.com/viewtopic.php?a=.....mysql_query('SQL HERE')....< Simon >
Yeah, just found this in the PHP docs for preg_replace()...
Example 4. Using /e modifier
This would capitalize all HTML tags in the input text.
So the replacement string is actually executed as code? You'd have to be very careful with that. I wonder whether phpBB actually uses /e or whether this is somehow inserted via the exploit.
< Simon >
Example 4. Using /e modifier
Code: Select all
<?php
preg_replace("/(<\/?)(\w+)(ї^>]*>)/e",
"'\\1'.strtoupper('\\2').'\\3'",
$html_body);
?>So the replacement string is actually executed as code? You'd have to be very careful with that. I wonder whether phpBB actually uses /e or whether this is somehow inserted via the exploit.
< Simon >
Yes, phpBB does use /e (and in newest version it's used as well):Simon wrote: I wonder whether phpBB actually uses /e or whether this is somehow inserted via the exploit.
Code: Select all
//
// Highlight active words (primarily for search)
//
if ($highlight_match)
{
// This was shamelessly 'borrowed' from volker at multiartstudio dot de
// via php.net's annotated manual
$message = str_replace('"', '"', substr(preg_replace('#(\>(((?>(ї^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style="color:#" . $themeї'fontcolor3'] . ""><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1)
);
}