phpBB Vulnerabilities -- how are they possible?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Simon
Forum Newbie
Posts: 12
Joined: Sun Dec 12, 2004 11:36 pm

phpBB Vulnerabilities -- how are they possible?

Post by Simon »

phpBB released version 2.0.11 a few weeks ago to fix some serious security holes. Seems like this forum is still on 2.0.10 (hopefully with at-least the quick-fix applied).

What I'm interested in knowing is -- how on earth can a vulnerability exist for so long that allows people to run whatever PHP code they like by entering it into the querystring? Surely no one ever runs exec() or eval() on anything from $_GET without thorough checks. But I don't believe phpBB even uses those functions, it seems to be part of the preg_replace() stuff perhaps (?). Can anyone explain how code from a querystring can possibly be executed other than via eval() or the execution functions like exec()...?

< Simon >
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

I'll explain briefly.

The vulnerability related to SQL injection based on an un-escaped, un-quoted variable in an sql call.

For example:

Code: Select all

SELECT * FROM table WHERE something=$blah
Now, ideally, $blah will match up to something, and one row would be returned.

However, if blah were maliciously set to (for example) $blah = '696 OR 1=1', then suddenly, every record is returned, even though it should only be one record.

The key here is that you should never trust user data. The $blah should be typecast, yes, but also cleaned - which is what they added in the fix.

Unfortunately, there are many vulnerabilities like this out there, and they arent always easy to find, let alone fix. Keep in mind that while "simple", phpbb is actually far beyond 10,000 lines of code - no "simple" task to maintain and search line-by-line for vulnerabilities.
Last edited by Roja on Mon Dec 13, 2004 12:00 am, edited 1 time in total.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

could be a sophisticated form of sql injection

a hole thats been around for a long time is prob one that is not very obvious,
and unconventional. could be a small hole that is not really directly dangerous, but could be used to exploit other parts of the script which could ultimately lead to allowing an attacker to do thier magic.

it could even be dependant on an (otherwise) harmless bug in the underlying software(php apache mysql etc...)
Simon
Forum Newbie
Posts: 12
Joined: Sun Dec 12, 2004 11:36 pm

Post by Simon »

Thanks for the responses so far, however the bugs aren't SQL-injection, they allow PHP code execution... (Which is MUCH worse.)

My forum was hacked by someone doing something like...

Code: Select all

http://abcdefg.com/viewtopic.php?a=.....mysql_query('SQL HERE')....
The dots represent special escape characters which exploit the vulnerability and I won't go into them here. But how on earth is this code actually executed? I just read somewhere that preg_replace() has an "e" switch which does evaluations. Am just gonna read up on that now...

< Simon >
Simon
Forum Newbie
Posts: 12
Joined: Sun Dec 12, 2004 11:36 pm

Post by Simon »

Yeah, just found this in the PHP docs for preg_replace()...

Example 4. Using /e modifier

Code: Select all

<?php
preg_replace("/(<\/?)(\w+)(&#1111;^>]*>)/e", 
             "'\\1'.strtoupper('\\2').'\\3'", 
             $html_body);
?>
This would capitalize all HTML tags in the input text.


So the replacement string is actually executed as code? You'd have to be very careful with that. I wonder whether phpBB actually uses /e or whether this is somehow inserted via the exploit.

< Simon >
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Simon wrote: I wonder whether phpBB actually uses /e or whether this is somehow inserted via the exploit.
Yes, phpBB does use /e (and in newest version it's used as well):

Code: Select all

//
        // Highlight active words (primarily for search)
        //
        if ($highlight_match)
        {
                // This was shamelessly 'borrowed' from volker at multiartstudio dot de
                // via php.net's annotated manual
                $message = str_replace('"', '"', substr(preg_replace('#(\&gt;(((?&gt;(&#1111;^&gt;&lt;]+|(?R)))*)\&lt;))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '&lt;span style="color:#" . $theme&#1111;'fontcolor3'] . ""&gt;&lt;b&gt;\\\\1&lt;/b&gt;&lt;/span&gt;', '\\0')", '&gt;' . $message . '&lt;'), 1, -1)
);
        }
Simon
Forum Newbie
Posts: 12
Joined: Sun Dec 12, 2004 11:36 pm

Post by Simon »

Thanks... Yeah you'd want to be really careful about whatever's in $highlight_match...
Post Reply