Page 1 of 1

Site got hacked, Wondering if it is this hole

Posted: Sat Jun 03, 2006 7:58 pm
by mytime
Hi All,

I've a website running and it got hacked.
We're running a php nuke site with a way too old version of both phpnuke and phpbb.
We run phpbb Powered by phpBB 2.0.4 © 2001 phpBB Group.
But the hacker succeeded in modifying files this time (and thats something different than sql injection!).
He modified e.g. the index.php file from the phpbb.
According this security warning
http://www.securityfocus.com/bid/18255/discuss
phpBB is prone to a remote file-include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.


it can be done with an exploit in phpnuke.
According the information all phpBB versions are prone to this exploit.
When will we get the a patch for this?

W. Kind Regards,

mytime

Re: Site got hacked, Wondering if it is this hole

Posted: Sat Jun 03, 2006 8:02 pm
by jwunderly
mytime wrote: We're running a php nuke site with a way too old version of both phpnuke and phpbb.


Doesn't do much good to post this here, as we don't support anything but "vanilla" phpBB here.

In any case, the lesson learned here is what most of the "regulars" here preach and practice, stay current on the forum version, check all installed mods for security hole, and monitor the user base.

Posted: Sat Jun 03, 2006 8:15 pm
by mytime
Hi jwunderly

I understand that we've to upgrade the whole site.
But it was always a thing managed by another person who suicided 1st january this year.
Now I'am running it and it contains a lot custom made code.
I want to replace that and go work with both latest phpNuke and phpBB.
But today I think it will not help me, cause as far I can see all versions are vunerable to it, the recent phpBB versions too...

http://www.securityfocus.com/bid/18255/info

Bugtraq ID: 18255
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Jun 03 2006 12:00AM
Updated: Jun 03 2006 12:00AM
Credit: Canberx is credited with the discovery of this vulnerability.
Vulnerable: phpBB Group phpBB 2.0.20
phpBB Group phpBB 2.0.19
phpBB Group phpBB 2.0.18
phpBB Group phpBB 2.0.17
phpBB Group phpBB 2.0.16
phpBB Group phpBB 2.0.15
phpBB Group phpBB 2.0.14
phpBB Group phpBB 2.0.13
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
phpBB Group phpBB 2.0.12
phpBB Group phpBB 2.0.11
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7 a
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0 .0
phpBB Group phpBB 2.0 RC4
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9
phpBB Group phpBB 2.0 RC3
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9
phpBB Group phpBB 2.0 RC2
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9
phpBB Group phpBB 2.0 RC1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9
phpBB Group phpBB 2.0 Beta 1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache for Windows 1.3.9


Not Vulnerable:

W. Kind Regards,

Mytime

Posted: Sat Jun 03, 2006 10:01 pm
by mytime
Hi all,

I wonder if you care about this serious security hole in the forum.
Its eminent that its serious one can execute phpnuke code trough the hole I mentioned and thus take every phpBB site down, not only sites running old phpBB versions but too those who're running the latest versions.
We can't wait, so we've decided investigate it and to write our own patch for it.
Maybe we'll be the only existing phpBB forum in future? 8O

Mytime

Posted: Sat Jun 03, 2006 10:13 pm
by jwunderly
You're running a buggy CMS and a mutated variant of the phpBB code, which happens to be 16 versions out-of-date, but you want to dump on us?

enjoy coding your patch.

Posted: Sat Jun 03, 2006 11:31 pm
by ubtsa
dudes,
i don't think running either an outdated phpnuke or phpbb is the cause of this type of attack, since this problem is also found in the latest pure version of phpbb (2.0.20).
so i guess phpBB developers should be informed about this so it can be fixed.

i'm a victim too, btw. this is a good find, mytime! way to go!

Posted: Sat Jun 03, 2006 11:54 pm
by beatme101
Obviously BS.


That's the example URL they give. The thing about it is, there is no template.php in phpbb's root folder.

Posted: Sun Jun 04, 2006 12:32 am
by Techie-Micheal
beatme101 wrote: Obviously BS.


That's the example URL they give. The thing about it is, there is no template.php in phpbb's root folder.
There isn't even a page variable in template.php ...

Posted: Sun Jun 04, 2006 12:34 am
by beatme101
Techie-Micheal wrote: There isn't even a page variable in template.php ...


Hehehe, I noticed that too ^_^