2.0.16 hacked via worm PLEASE READ

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
HaqDiesel
Registered User
Posts: 75
Joined: Sun Dec 12, 2004 4:00 am

Post by HaqDiesel » Tue Jul 19, 2005 6:56 pm

Techie-Micheal wrote: And one person banned. Anybody else want to tick me off today?


Image

'Lene
Registered User
Posts: 47
Joined: Fri Jul 08, 2005 8:33 am

Post by 'Lene » Tue Jul 19, 2005 7:04 pm

Oh..gosh.I was just trying to copy the .htaccess rules to try and protect my forums...

The post was deleted midway through!

I truly appreciate your honesty,espicom.

Would you mind telling us how to disable the highlight function?

Hundeforum
Registered User
Posts: 64
Joined: Tue Jul 19, 2005 12:06 am
Contact:

Post by Hundeforum » Tue Jul 19, 2005 7:15 pm

@Techie-Micheal:

Did you take a look at this one?

http://www.phpbb.com/phpBB/viewtopic.php?t=308092

Manf

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Tue Jul 19, 2005 7:22 pm

Hundeforum wrote: @Techie-Micheal:

Did you take a look at this one?

http://www.phpbb.com/phpBB/viewtopic.php?t=308092

Manf
I have, yes.
Proven Offensive Security Expertise. OSCP - GXPN

allanhardy
Registered User
Posts: 197
Joined: Sun Dec 15, 2002 4:20 am

Post by allanhardy » Wed Jul 20, 2005 2:12 am

Techie-Micheal wrote:
Hundeforum wrote:@Techie-Micheal:

Did you take a look at this one?

http://www.phpbb.com/phpBB/viewtopic.php?t=308092

Manf
I have, yes.

That post comes up as not existing? Deleted?

Are there .htaccess rules one should know about?

jimknopf
Registered User
Posts: 6
Joined: Wed Nov 24, 2004 12:46 pm

Link not correct?

Post by jimknopf » Wed Jul 20, 2005 10:29 am

Hundeforum wrote: Might it be related to this (just asking)?

http://www.phpbb.com/phpBB/viewtopic.php?t=308092


The link provided does not work, i.e. the supposed entry is not found. Hundeforum, did you mistype it, maybe? If so, please provide the correct one ...

TasDevil
Registered User
Posts: 319
Joined: Tue Mar 15, 2005 5:49 am

Post by TasDevil » Wed Jul 20, 2005 11:25 am

allanhardy wrote: That post comes up as not existing? Deleted?

It's not deleted but moved to a non-public area (as you can see when you're not logged in). They probably moved it due to posted links to hack scripts. I found the thread in my browser cache, there was nothing really new in it.

Tas.

jimknopf
Registered User
Posts: 6
Joined: Wed Nov 24, 2004 12:46 pm

Post by jimknopf » Wed Jul 20, 2005 11:41 am

TasDevil wrote: It's not deleted but moved to a non-public area (as you can see when you're not logged in). They probably moved it due to posted links to hack scripts. I found the thread in my browser cache, there was nothing really new in it.

Tas.


But even if I am logged in I can not view it, the board telling me that the entry does not exist.

?????

Hundeforum
Registered User
Posts: 64
Joined: Tue Jul 19, 2005 12:06 am
Contact:

Post by Hundeforum » Wed Jul 20, 2005 1:06 pm

As per Michaels statement, the thread I mentioned has been moved to a protected area here, not deleted. This has been done by the admins because of the my quoted, potentially dangerous exploit examples.
While I understand that the investigation, whether this is a working exploit, may explain their concerns and this action, I do not agree with the extent. We were about to discuss and show other people possible temporary protections, while these attacks are already going on (so nothing new at all). By moving the whole thread (instead of just editing out the strings deemed dangerous), who comes here to find information about what he/she just saw in the logs, is left on the dry.
As long as the phpBB crew does not know for sure, whether those attacks would work as I posted them and with what version, user security should go first. If it turns out to be harmless, that's fine for everyone. But if it turns out as a real danger, then the removal of the information would have kept from help to limit the damage to the readers of the forum.

Manf
Last edited by Hundeforum on Wed Jul 20, 2005 4:19 pm, edited 1 time in total.

TasDevil
Registered User
Posts: 319
Joined: Tue Mar 15, 2005 5:49 am

Post by TasDevil » Wed Jul 20, 2005 1:10 pm

jimknopf wrote: But even if I am logged in I can not view it, the board telling me that the entry does not exist.

Yes, because the thread is in a non-public area of this forum. When you are not logged in and you click the link above, you see the login page, which means the topic exists. You would see the "Topic does not exist" message while you're not logged in and the topic would really not exist.

Tas.
Last edited by TasDevil on Wed Jul 20, 2005 1:13 pm, edited 1 time in total.

User avatar
iphorum
Registered User
Posts: 3
Joined: Wed Jul 20, 2005 10:30 am
Contact:

Post by iphorum » Wed Jul 20, 2005 1:11 pm

what is the situation right now? Is there a security problem in 16 and prior or not? If there is a security problem how to avoid it or even workaround?
100% FREE FORUM HOSTING AT http://www.iphorum.com

TasDevil
Registered User
Posts: 319
Joined: Tue Mar 15, 2005 5:49 am

Post by TasDevil » Wed Jul 20, 2005 1:15 pm

iphorum wrote: what is the situation right now? Is there a security problem in 16 and prior or not? If there is a security problem how to avoid it or even workaround?

Yes, it is. Solution: Upgrade to phpBB 2.0.17.

Tas.

spiderr
Registered User
Posts: 5
Joined: Mon Jan 19, 2004 1:20 am
Location: North Carolina, USA
Contact:

Post by spiderr » Wed Jul 20, 2005 4:12 pm

espicom wrote: I hate to say it, but yes, there is a way into .16 through the ever-vulnerable highlight code, which allows arbitrary execution of PHP commands. A simple MOD_REWRITE rule blocks it, disabling the PHP system() and exec() calls defang it, and removing the other security issues found in most sites makes it useless.

What are the other security issues?
  • writeable temporary or other file areas that allow command execution
    web server user allowed access to wget and other file fetching tools
    web server user allowed to write executable files anywhere


espicom, do you or anyone know of a nice tutorial (forum post, web page, etc.) that lists how to address these exact issues on your server to make it less vulnerable to unknown exploits?

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Wed Jul 20, 2005 5:07 pm

do you or anyone know of a nice tutorial (forum post, web page, etc.) that lists how to address these exact issues on your server to make it less vulnerable to unknown exploits?


One of the topics I posted in about this is this one, which has a link to WebHostingTalk on making the temporary directories unable to support executable files. This topic has some remarks about user ownership and permissions, as they apply to PHPBB.

The unfortunate things about all of this that the "best" security model won't work for most of the people who install PHPBB. It's nice to pontificate about setting the avatar directory owner to "apache", but you can only do that with root or administrator privileges, so it comes down to hosting yourself (with its own headaches), or getting a good, cooperative host that will work with you on such things (which excludes most free and many paid hosts).

Making tools that script kiddies need, like curl, wget, Perl, etc., are usually based upon the needs of other sites on a shared host. Sometimes the choice of using Apache's mod_suexec is made to accommodate specific CGI requirements of just a few users, but affects all users if it isn't set up correctly.

The important part is to make sure that no file that could have been uploaded through HTTP can be considered executable. Since code in templates is run through the eval() function, the templates directory should not allow any writing by the web server.

Personally, I'd make one basic change to how PHPBB handles avatars, and things like the attachment and photo album MODs work... Put the files into BLOB fields in the database, rather than writing files on disk, and provide a display program that simply copies the contents of the BLOB out with the correct header information. If this were extended to templates, there would NO need for PHPBB to write files to the system, and most upload-related exploits would not work... since the system doesn't know how to execute an SQL entry!

Hmmm... Maybe I'll put that on my list of changes to work on when I have time...
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

Graham
Former Team Member
Posts: 8462
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK
Contact:

Post by Graham » Wed Jul 20, 2005 5:14 pm

I would like to remind people here that if they believe they have found an exploit in phpBB code (or a potential one), they should post it - with all the details - to the Security tracker and not on the forum
"So Long, and Thanks for All the Fish"

phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!

Locked

Return to “2.0.x Support Forum”