base64_decode() security issue

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Suggested Hosts
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
eben80
Registered User
Posts: 35
Joined: Thu Apr 26, 2007 11:17 am

base64_decode() security issue

Post by eben80 »

Hi all,

The following is the basic SRT
Your board's URL: http://www.aircooledvwsa.co.za
Version of phpBB3: 3.0.0
Was this a fresh install or a(n) update/upgrade/conversion (please be specific)? conversion from the previous RC
Was this an install through your host? No
MODs you have installed: Quick Reply and Calendar
When the problem started: Today

Additionally, you may wish to provide the following (where applicable)
Template(s) used: Prosilver
Language(s) used: English
Version of PHP used: 5.2.2
Database and version used: MySQL 4.1.22 Standard


My hosting company today disabled the base64_decode() functionbecause they say that it has a vunerability in that it has been used for injection attacks.

This of course now leaves me with the following:

Code: Select all

[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_privmsgs.php on line 1716: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_privmsgs.php on line 1716: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions_content.php on line 1188: base64_decode() has been disabled for security reasons
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 3389: Cannot modify header information - headers already sent by (output started at /includes/functions.php:2920)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 3391: Cannot modify header information - headers already sent by (output started at /includes/functions.php:2920)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 3392: Cannot modify header information - headers already sent by (output started at /includes/functions.php:2920)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 3393: Cannot modify header information - headers already sent by (output started at /includes/functions.php:2920)
This displays at the head of some pages and some parts of the forum doesn't work ie. BBCoded images etc.

Is there anything I can do to resolve this as it seems that it is unlikely for the hosting company to enable the function again. Also has anyone else had this problem?

THank you in advance.

Regards

Eben

eben80
Registered User
Posts: 35
Joined: Thu Apr 26, 2007 11:17 am

Re: base64_decode() security issue

Post by eben80 »

Just attached the template.

Vic D'Elfant
Former Team Member
Posts: 6203
Joined: Sun May 02, 2004 6:21 pm
Location: NL, Maastricht
Contact:

Re: base64_decode() security issue

Post by Vic D'Elfant »

Who is this hosting provider? I can't imagine that any sensible hosting provider would disable a function like base64_decode() because of "security reasons". The reasoning behind disabling this function is probably to make it harder for someone to make use of obfuscation to cloak malicious scripts, but this "solution" to exploits is something which even a junior, unexperienced system administrator wouldn't choose to do. I've never heard of this security restriction before and I'm sure you won't be their only client complaining.

Unfortunately, you'll have to get them to enable this function or you'll have to move to another hosting provider, there's no way to work around it. What they're doing is like forbidding balaclavas to be sold because they could be used to cover someone's face while robbing a bank.
midd.ag • DTP, web development & printing
http://www.midd.ag

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51927
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: base64_decode() security issue

Post by Brf »

Yes. That is pretty silly.
It is like disabling your Email completely, simply because someone can Email you a virus.

eben80
Registered User
Posts: 35
Joined: Thu Apr 26, 2007 11:17 am

Re: base64_decode() security issue

Post by eben80 »

LOL and there I thought it is a "new hole" that was discovered. the company is called EUKhost.com
They are pretty solid with everything else so it would be a shame to move.
Has nobody else brought this issue up before? Any ideas what I can tell them to convince them to enable it again? Thanks for the replies.

Vic D'Elfant
Former Team Member
Posts: 6203
Joined: Sun May 02, 2004 6:21 pm
Location: NL, Maastricht
Contact:

Re: base64_decode() security issue

Post by Vic D'Elfant »

If memory serves me correctly, no, this hasn't been brought up before. If their reasoning behind this really is to make it harder to use obfuscation in backdoor scripts, they might as well disable urldecode(), foreach, the "for" loop, arrays, any other function which could be used to convert one character to another, I/O functions, system/exec functions, etc. It really has no use to disable it for the reasons they believe in, they're affecting way, way more genuine scripts than they want, and they should know that.

Besides, most backdoors don't even go through the hassle of base64-encoding it, or they rely on a real obfuscater which doesn't make use of base64_decode() but just scrambles the content by renaming variable names and using sub-sub-sub-sub function calls with random names. If I could get a file (i.e. a backdoor) on a place where it shouldn't be even possible to get one, I wouldn't worry about encoding it or I would simply change the script once I found out that base64_decode() turns out to be disabled. It's too late if a hacker can get that far, anyway.
midd.ag • DTP, web development & printing
http://www.midd.ag

eben80
Registered User
Posts: 35
Joined: Thu Apr 26, 2007 11:17 am

Re: base64_decode() security issue

Post by eben80 »

Thanks for that info. They said they had a problem with a single site this morning with a malicious script that had been run. Well guess what.. now they have many genuine scripts that dont work properly. I have sent them your previous message as well thanks so I will see what they say.

Thank you for the help.

asphole
Registered User
Posts: 5
Joined: Fri Feb 15, 2008 4:15 pm

Re: base64_decode() security issue

Post by asphole »

Hi Eben80,
Dont hold your breath!! Unfortunately I have 30 zen cart sites hosted with EUKhost and found the same problem today. Every site spewing out this error message. I'm sure my customers wont stay on the site for long when they're greeted by a message stating there is a security issue! I spoke with support for over an hour and they simply will not re-enable it. Their advice however was to upgrade to a dedicated server for £79 per month (Oh and they forgot to tell me until i had paid them for it that there was an additional £20 for cpanel!!) I subsequently sent in a refund request and will be taking my business elsewhere. 123-reg offer similar packages for half the price! I would be interested to see if you find a solution and will also be sending this thread to eukhost to shame them into doing something about this! Their support which is usually very good was appaling and they showed that they really do not care about customers!! This is the 3rd time they have implemented changes which have affected the running of my sites. I would look for a 'proper' host asap!
Best of luck!

eben80
Registered User
Posts: 35
Joined: Thu Apr 26, 2007 11:17 am

Re: base64_decode() security issue

Post by eben80 »

Thats really bad. Especially for a commerce site. I also asked them if they intended on warning anyone or sending out an email but there was no notifications anywhere... not even in their own forum.
No reply as of yet. I will update the thread.

eben80
Registered User
Posts: 35
Joined: Thu Apr 26, 2007 11:17 am

Re: base64_decode() security issue

Post by eben80 »

Hang on a second:
Hello Eben,

I apologize for the inconvenience caused to you.
Now we have re-enabled the php function base64_decode on server again.

Regards,
Nick J.
Senior Admin
Support Team.
Thats good news. Thanks for your input guys. I'm sure it made the difference.

Vic D'Elfant
Former Team Member
Posts: 6203
Joined: Sun May 02, 2004 6:21 pm
Location: NL, Maastricht
Contact:

Re: base64_decode() security issue

Post by Vic D'Elfant »

While I/we don't mind sharing experiences with this hosting provider in the context of this issue, please refrain from posting offers such as "go to XYZ Hosting Company, they're cheaper and offer the same support!" :) No-one has done so far, but it usually does happen.
midd.ag • DTP, web development & printing
http://www.midd.ag

asphole
Registered User
Posts: 5
Joined: Fri Feb 15, 2008 4:15 pm

Re: base64_decode() security issue

Post by asphole »

Was just about to post the same!! I threatened to remove all my sites, and discuss their service in great detail on a number of my blogs and forums!! Thankfully it hasnt come to that! Glad its sorted! Hours wasted though!!

asphole
Registered User
Posts: 5
Joined: Fri Feb 15, 2008 4:15 pm

Re: base64_decode() security issue

Post by asphole »

Vic, I offered an alternative in case other users where in the same position as myself. ie; losing money by the hour during a vesy busy day. Having to locate another host can be daunting and I personally would have appreciated a pointer in the right direction at this frustrating time. Apologies if this breached T&C however.

eUKhost.com
Registered User
Posts: 1
Joined: Wed Aug 15, 2007 9:13 am
Contact:

Re: base64_decode() security issue

Post by eUKhost.com »

Hello,

At eUKhost we are constantly on the look out for exploits and potential exploits. Earlier today we found something that at the time seemed quite suspicious and this function was disabled as a precaution while we investigated further. We regret any inconvenience caused but you can at least understand our desire to ensure maximum security. In this case it was a false alarm and perhaps the technician that was assigned to work on it was over cautious.

I would also like to point out that some customers may be better suited to a VPS, Semi-dedicated or even a Dedicated Server. Especially if there is large amounts of money being lost and if you would like to have more say in what settings are implemented.

If anyone is still experiencing problems, please contact our support department.

lazy
Registered User
Posts: 1
Joined: Fri Feb 15, 2008 6:41 pm

Re: base64_decode() security issue

Post by lazy »

Phew what a hassle that was after a already shit day i come home to find a site that was almost finished had error messages all over.

Euk are usually really good but today really pissed me off,The bit about being told to look for a solution when there were obviuosly other people with the same problem.Really did it for me just glad i got sent the link for this,

PLEASE PLEASE make double sure before you do anything like that again


THANK YOU Vic D'Elfant for helping to reverse a dumbass decision...

They offered me a VPS any one up for clubbing togethere for one?

Locked

Return to “[3.0.x] Support Forum”