Site got hacked, Wondering if it is this hole

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
mytime
Registered User
Posts: 3
Joined: Sat Jun 03, 2006 7:51 pm

Site got hacked, Wondering if it is this hole

Post by mytime » Sat Jun 03, 2006 7:58 pm

Hi All,

I've a website running and it got hacked.
We're running a php nuke site with a way too old version of both phpnuke and phpbb.
We run phpbb Powered by phpBB 2.0.4 © 2001 phpBB Group.
But the hacker succeeded in modifying files this time (and thats something different than sql injection!).
He modified e.g. the index.php file from the phpbb.
According this security warning
http://www.securityfocus.com/bid/18255/discuss
phpBB is prone to a remote file-include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.


it can be done with an exploit in phpnuke.
According the information all phpBB versions are prone to this exploit.
When will we get the a patch for this?

W. Kind Regards,

mytime

User avatar
jwunderly
Registered User
Posts: 5740
Joined: Sun Mar 30, 2003 2:18 pm
Location: Easton, PA (in the groove)

Re: Site got hacked, Wondering if it is this hole

Post by jwunderly » Sat Jun 03, 2006 8:02 pm

mytime wrote: We're running a php nuke site with a way too old version of both phpnuke and phpbb.


Doesn't do much good to post this here, as we don't support anything but "vanilla" phpBB here.

In any case, the lesson learned here is what most of the "regulars" here preach and practice, stay current on the forum version, check all installed mods for security hole, and monitor the user base.
John (A cranky old man. "Looking for an echo ...")
using any control-panel install/update is like shooting yourself in the foot. It won't kill you, but you're really going to hobble around until it heals.
Using the wrong tools (Front Page, DreamWeaver) gives the same results
Do not PM me for Support!

mytime
Registered User
Posts: 3
Joined: Sat Jun 03, 2006 7:51 pm

Post by mytime » Sat Jun 03, 2006 8:15 pm

Hi jwunderly

I understand that we've to upgrade the whole site.
But it was always a thing managed by another person who suicided 1st january this year.
Now I'am running it and it contains a lot custom made code.
I want to replace that and go work with both latest phpNuke and phpBB.
But today I think it will not help me, cause as far I can see all versions are vunerable to it, the recent phpBB versions too...

http://www.securityfocus.com/bid/18255/info

Bugtraq ID: 18255
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Jun 03 2006 12:00AM
Updated: Jun 03 2006 12:00AM
Credit: Canberx is credited with the discovery of this vulnerability.
Vulnerable: phpBB Group phpBB 2.0.20
phpBB Group phpBB 2.0.19
phpBB Group phpBB 2.0.18
phpBB Group phpBB 2.0.17
phpBB Group phpBB 2.0.16
phpBB Group phpBB 2.0.15
phpBB Group phpBB 2.0.14
phpBB Group phpBB 2.0.13
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
phpBB Group phpBB 2.0.12
phpBB Group phpBB 2.0.11
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7 a
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0 .0
phpBB Group phpBB 2.0 RC4
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9
phpBB Group phpBB 2.0 RC3
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9
phpBB Group phpBB 2.0 RC2
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9
phpBB Group phpBB 2.0 RC1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9
phpBB Group phpBB 2.0 Beta 1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9


Not Vulnerable:

W. Kind Regards,

Mytime

mytime
Registered User
Posts: 3
Joined: Sat Jun 03, 2006 7:51 pm

Post by mytime » Sat Jun 03, 2006 10:01 pm

Hi all,

I wonder if you care about this serious security hole in the forum.
Its eminent that its serious one can execute phpnuke code trough the hole I mentioned and thus take every phpBB site down, not only sites running old phpBB versions but too those who're running the latest versions.
We can't wait, so we've decided investigate it and to write our own patch for it.
Maybe we'll be the only existing phpBB forum in future? 8O

Mytime

User avatar
jwunderly
Registered User
Posts: 5740
Joined: Sun Mar 30, 2003 2:18 pm
Location: Easton, PA (in the groove)

Post by jwunderly » Sat Jun 03, 2006 10:13 pm

You're running a buggy CMS and a mutated variant of the phpBB code, which happens to be 16 versions out-of-date, but you want to dump on us?

enjoy coding your patch.
John (A cranky old man. "Looking for an echo ...")
using any control-panel install/update is like shooting yourself in the foot. It won't kill you, but you're really going to hobble around until it heals.
Using the wrong tools (Front Page, DreamWeaver) gives the same results
Do not PM me for Support!

ubtsa
Registered User
Posts: 27
Joined: Mon Apr 25, 2005 12:55 pm

Post by ubtsa » Sat Jun 03, 2006 11:31 pm

dudes,
i don't think running either an outdated phpnuke or phpbb is the cause of this type of attack, since this problem is also found in the latest pure version of phpbb (2.0.20).
so i guess phpBB developers should be informed about this so it can be fixed.

i'm a victim too, btw. this is a good find, mytime! way to go!

beatme101
Registered User
Posts: 2866
Joined: Sat Jan 01, 2005 6:20 am
Location: The country cold comes from; Canada.
Contact:

Post by beatme101 » Sat Jun 03, 2006 11:54 pm

Obviously BS.


That's the example URL they give. The thing about it is, there is no template.php in phpbb's root folder.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Sun Jun 04, 2006 12:32 am

beatme101 wrote: Obviously BS.


That's the example URL they give. The thing about it is, there is no template.php in phpbb's root folder.
There isn't even a page variable in template.php ...
Proven Offensive Security Expertise. OSCP - GXPN

beatme101
Registered User
Posts: 2866
Joined: Sat Jan 01, 2005 6:20 am
Location: The country cold comes from; Canada.
Contact:

Post by beatme101 » Sun Jun 04, 2006 12:34 am

Techie-Micheal wrote: There isn't even a page variable in template.php ...


Hehehe, I noticed that too ^_^

Locked

Return to “2.0.x Support Forum”