Page 1 of 3

Exploit Vulnerablity Found in 2.0.18: you MUST disable HTML!

Posted: Wed Dec 28, 2005 9:51 pm
by clubchill
Exploit Targets New phpBB 2.0.18 Security Hole

An exploit has been released for a new security hole in phpBB 2.0.18, the popular web forum software. The attack has the potential to compromise any phpBB 2.0.18 installation that has enabled the use of HTML in forum messages, a setting which is disabled in the default configuration. Allowing HTML in forms poses a security risk, but is popular with forum participants and thus may be activated by some web site operators. The vulnerability in version 2.0.18 was was featured on security sites Monday, and exploit code is now in the wild, according to the Internet Storm Center, which noted that "an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users." The exploit can be defended if phpBB's "Allow HTML" and register_globals settings are both disabled

Some web hosts have banned the use of phpBB, citing ongoing security problems. Hackers often seek out vulnerabilities in forum software, which typically offers many fields that all must check input to detect malicious code.

PHP, an open source server-side scripting language, is widely used to power web applications that connect with databases such as MySQL, and is commonly bunded with shared hosting accounts offered by web hosting providers. phpBB is among the web's most popular bulletin board programs, with more than 224,000 registered members of its user forum. A number of web hosts offer phpBB as an account add-on that can easily be installed by users.

Posted: Wed Dec 28, 2005 10:05 pm
by espicom
Old news. The HTML vulnerability is in Internet Explorer, and it's PHPBB's problem because some people enable HTML. If you're worried about it, disable HTML, like most of us, and the attack won't be able to work. I haven't had HTML enabled on a forum in years. Brute-force password attacks are nothing new, just made easier by the information an IE user can reveal without knowing it.

Of course, I'm not trying to annoy users by enabling FLASH and automatic music, like some users. :wink:

Posted: Wed Dec 28, 2005 10:07 pm
by SmartSquid399
It's not really phpBB's fault, it's IE's. Internet Explorer has so many security holes that I'm suprised there's only one major vulnerability out involving it.

Posted: Wed Dec 28, 2005 10:16 pm
by espicom
Did you see where Microsoft is "strenuously objecting" to efforts by ISPs to block internet access to compromised computers? They're afraid it will kick all the Windows users off the net! 8)

Posted: Wed Dec 28, 2005 10:22 pm
by clubchill
espicom wrote: Old news. The HTML vulnerability is in Internet Explorer, and it's PHPBB's problem because some people enable HTML. If you're worried about it, disable HTML, like most of us, and the attack won't be able to work. I haven't had HTML enabled on a forum in years. Brute-force password attacks are nothing new, just made easier by the information an IE user can reveal without knowing it.

Of course, I'm not trying to annoy users by enabling FLASH and automatic music, like some users. :wink:


I understand, and these are very good points. However... the point that phpBB misses in all of this, is that you have to design your softare for "other" software.

Other software does not have to be designed for phpBB.

Do you suppose major industrial companies running mission-critical thinclient apps via the web will allow their passwords to be hacked because of an IE flaw??

Be for real.....

No, they design their products around the flaw, in such manner to protect the integrity of their data. Can you hack Pay-Pay passwords because of IE? Can you hack Amazon passwords because of IE? Can you hack Dell.com, or your local banks online-banking passwords because of IE?? No... but you can hack phpBB passwords because of IE though, cant you??

It looks bad on this community fellas.

Why?

Because phpBB is designed with an "i-dont-care" attitude, and it shows in the number of vulnerabilities in this software.

phpBB development needs to take a full "Corporate" approach in their design, and treat this software as if though it were set up to guard a million dollars.

Until then............ anything goes.

Because just like you said "Old News"... guess what.... it was "Old News" that Microsft's Internet Explorer was flawed.... but what did phpBB do?

They still developed untop of that flaw like they really didn't give a damn.

And thats wrong.

Posted: Wed Dec 28, 2005 10:45 pm
by espicom
You can not design for problems you do not know about. Internet Explorer has a bug that will allow someone to send it an "image" that is really a program, and compromise it. PHPBB tries to fix that by limiting what can appear in an IMG tag, but it isn't enough - if someone has access to a server, you can build a legal URL that will look like an image file (no script references or other suspicious content), even be verifiable to contain an image when checked, and yet still send a compromise program to a real IE user. How is this PHPBB's fault? How does taking a "corporate attitude" towards the problem fix Internet Explorer?

You can only protect IE users by eliminating any possibility of anyone other than yourself providing content to your site. You can not provide links to external pages or images, especially those that can be provided by others; if it isn't on your server, you don't control it, and you can not protect IE users from it. It's as simple as that.

The problem is that "the world wide web" is all about links, and that's where the security of Internet Explorer falls apart. It's too trusting of content - if I send a file "bob.jpg" to IE, and it's really a executable, IE will execute it, rather than deciding it's a bad JPG file. Oops! Fix PHPBB!

IE has so many flaws that have yet to be discovered (or publicised) that it could be years before everyone "protects" IE users "enough", but Microsoft keeps introducing new flaws, with each new version. Can you tell me what the PHPBB development team will need to change in PHPBB to be ready to protect IE 7 users?

Posted: Wed Dec 28, 2005 10:58 pm
by clubchill
espicom wrote: You can not design for problems you do not know about. Internet Explorer has a bug that will allow someone to send it an "image" that is really a program, and compromise it. PHPBB tries to fix that by limiting what can appear in an IMG tag, but it isn't enough - if someone has access to a server, you can build a legal URL that will look like an image file (no script references or other suspicious content), even be verifiable to contain an image when checked, and yet still send a compromise program to a real IE user. How is this PHPBB's fault? How does taking a "corporate attitude" towards the problem fix Internet Explorer?

You can only protect IE users by eliminating any possibility of anyone other than yourself providing content to your site. You can not provide links to external pages or images, especially those that can be provided by others; if it isn't on your server, you don't control it, and you can not protect IE users from it. It's as simple as that.

The problem is that "the world wide web" is all about links, and that's where the security of Internet Explorer falls apart. It's too trusting of content - if I send a file "bob.jpg" to IE, and it's really a executable, IE will execute it, rather than deciding it's a bad JPG file. Oops! Fix PHPBB!

IE has so many flaws that have yet to be discovered (or publicised) that it could be years before everyone "protects" IE users "enough", but Microsoft keeps introducing new flaws, with each new version. Can you tell me what the PHPBB development team will need to change in PHPBB to be ready to protect IE 7 users?


lol.. thats the whole purpose of server-side scripting, you process the data"Before" its sent to the browser.... hello?

PHP has functions that can verify the reliability of a file, such as in the jpg scenario you mentioned, and if its a bad file then it can be scripted to not even send the file to the browser. Thats the whole point of PHP..... "HTML Processing"

Why would you let Internet Explorer execute a potentially bad file, when you can verify its legitamacy server-side before even sending it to the browser?

Do you suppose these companies like banks, and investment firms that run web-apps for their clients will allow a bad .jpg or a bad .txt or a bad .mp3 or .swf to be served to the browser and compromise their data.

If it wasn't so, I'd agree with you. But the evidence of secure webapplication development on the internet is too vast for your argument to hold true..

Lol.. and need I mention some other BulletinBoard systems that use PHP and mySQL too, but don't have these vulnerability issues?

haha.. you dont want me to go there do you..

Posted: Wed Dec 28, 2005 11:41 pm
by itsonlybarney
i just want clarification. From what I have read you are saying that phPBB has a 'flaw' because it will open an 'image' file that may be an executable program. Is that right? but your also saying that because phpBB is run on a PHP server that the PHP should be able to detect whether the 'image', in a signature or a post, is an executable. From my understanding the signatures in posts and images are generally stored outside the phpBB server and therefore PHP can't determine whether or not the 'image' is really an executable file.

Posted: Wed Dec 28, 2005 11:44 pm
by clubchill
itsonlybarney wrote: i just want clarification. From what I have read you are saying that phPBB has a 'flaw' because it will open an 'image' file that may be an executable program. Is that right? but your also saying that because phpBB is run on a PHP server that the PHP should be able to detect whether the 'image', in a signature or a post, is an executable. From my understanding the signatures in posts and images are generally stored outside the phpBB server and therefore PHP can't determine whether or not the 'image' is really an executable file.


Barney, code can't do anything unless its programmed to do so. phpBB developers aren't developing necessary security checks. They're only plugging them after they've been discovered. Not prior.

Posted: Wed Dec 28, 2005 11:45 pm
by clubchill
lol.. I guess I won this debate, huh?

No counterpoints? hehehe

Posted: Wed Dec 28, 2005 11:52 pm
by IndieDesigns
clubchill wrote: lol.. I guess I won this debate, huh?

No counterpoints? hehehe


Want a counterpoint? this is a Support Forum so why not either post something you need support for (like the logout sid issue) or go help someone. All you're doing is taking time away from people who need support by trying to get all the regulars here on defense. This thread would belong more in phpbb discussion, not support. :roll:

---Indie

Posted: Thu Dec 29, 2005 6:06 am
by espicom
clubchill wrote: lol.. I guess I won this debate, huh?

No counterpoints? hehehe


Can't win just because people have jobs to attend to. From Slashdot, posted just hours ago:
"Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""


So, should we post this as yet another vulnerability in PHPBB? All it takes is a URL to a server under the control of an attacker, preferably in an image tag, to make it look innocent. And, like I have said previously, short of disabling all BBCode as well as HTML, PHPBB can't prevent it from happening. Heck, even if I write code in PHPBB to immediately request the remote link, analyze what is returned by it, there is no guarantee that the user will get the same thing returned to their browser.

Same goes for remote avatars... Disable them immediately, and remove support for it from PHPBB, because it's a vulnerability that PHPBB must protect IE users from!

I know - make PHPBB smart enough that if the user agent is any version of Internet Explorer, it returns a text-only page, no HTML, no links, nothing that IE can interpret as a link, or whatever... Yeah, that's the way to protect them! Give them a safe surfing environment.

Posted: Thu Dec 29, 2005 6:31 am
by karlsemple
having read this topic from start to finish i still dont see what this has to do with phpbb...... you cant possibly find a flaw in one program and then blame it on the developers from another :roll: As stated a trillions times and then some...any internet user really worried about security would throw 99% of microsofts products straight in the bin let alone use them. IE being the first and worst to go, when will you security concerned folks start using firefox.

Posted: Thu Dec 29, 2005 7:17 am
by Blankety Blank Man
clubchill wrote: lol.. thats the whole purpose of server-side scripting, you process the data"Before" its sent to the browser.... hello?

PHP has functions that can verify the reliability of a file, such as in the jpg scenario you mentioned, and if its a bad file then it can be scripted to not even send the file to the browser. Thats the whole point of PHP..... "HTML Processing"
Actually it's PHP Hypertext Processor now, and Personal Home Page in the past ;)

As far as things that are actually important go, I'd like to see you submit a code segment that will analyze the content of each link on the page, especially images, and scan for viri. The only way I can see that code working would be to open a socket to the file being linked to, and compare it against a database of viri. That would, of course, require that the target allow incoming socket connections in that manner, the phpBB host allow the outgoing socket, the PHP version containing the function to do that, and, of course, a rather large amount of time that the end user would not like to spend waiting for a page to load

Posted: Thu Dec 29, 2005 8:12 am
by justbrowsing
my monitor colors are messed up. phpbb shows up with funny colors. support team - please fix this!!! it is a flaw in your program not to accomodate my monitor...