Security! Oh lord, this doesn't look good.

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Jef Horians
Registered User
Posts: 40
Joined: Tue Jul 25, 2017 12:32 pm

Security! Oh lord, this doesn't look good.

Post by Jef Horians »

Hello.

I've installed a phpBB test site and ran IronWASP on it. Output really scares me.
It was able to get the list of users although i've hidden Members from the login page.
I know because when i log in i have to do the captcha every time.
Not only for admin (easy to guess of course) but also for other users.
What's going on?

IronWASP report:

SQL Injection Detected
/phpbb/./ucp.php?mode=login&sid=6319ec6a5df1209dda0baa283f6d476d
/phpbb/app.php/help/faq?sid=6319ec6a5df1209dda0baa283f6d476d
/phpbb/./memberlist.php?mode=contactadmin&sid=6319ec6a5df1209dda0baa283f6d476d
/phpbb/app.php/help/faq
/phpbb/././ucp.php?mode=sendpassword
/phpbb/./././ucp.php?mode=sendpassword
/phpbb/app.php/help/./../../
/phpbb/app.php/help/./../.././memberlist.php?mode=contactadmin
/phpbb/./././memberlist.php?mode=contactadmin
/phpbb/./././ucp.php?mode=login
/phpbb/./././ucp.php?mode=login
/phpbb/./././ucp.php?mode=login
/phpbb/./././ucp.php?mode=login
/phpbb/./././ucp.php?mode=login

Server Side Request Forgery Found
/phpbb/./ucp.php?mode=login&sid=6319ec6a5df1209dda0baa283f6d476d
Local File Include Found
/phpbb/./././ucp.php?mode=login
/phpbb/./././ucp.php?mode=login
/phpbb/./././ucp.php?mode=login

Session Fixation Found
/phpbb/./ucp.php?mode=login&sid=6319ec6a5df1209dda0baa283f6d476d
AutoComplete Enabled on Password Fields
/phpbb/

Server leaks version number
/phpbb/

Runs on Apache/2
/phpbb/
T
echnologies identified on Server
/phpbb/
User avatar
RMcGirr83
Former Team Member
Posts: 22016
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr

Re: Security! Oh lord, this doesn't look good.

Post by RMcGirr83 »

That is a bogus report which many web scanners report on.
Former Modifications/Extensions Team Member | My extensions | github | All requests for support via PM will be ignored
Appreciate the extensions/mods/support then buy me a beer Image
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72343
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Security! Oh lord, this doesn't look good.

Post by KevC »

Jef Horians wrote: Wed Aug 23, 2017 2:41 pm It was able to get the list of users although i've hidden Members from the login page.
Did it actually give you the output of the page or just say it could 'see' it. Any pages you don't have access to will still be reachable but you just see a screen saying you don't have permission to view it.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
Jef Horians
Registered User
Posts: 40
Joined: Tue Jul 25, 2017 12:32 pm

Re: Security! Oh lord, this doesn't look good.

Post by Jef Horians »

Here's the full report.
I don't know enough off it to judge it myself.
Attachments
phpBB-test-report.rtf
(128.18 KiB) Downloaded 40 times
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52768
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Security! Oh lord, this doesn't look good.

Post by stevemaury »

If your board has been hacked, please do the following before making any modifications to your board (this includes changing passwords, editing files, running the Support Toolkit, etc.):
  1. Save an archive file comprising copies of all the files (this can be done by creating a zip or tarball of the files).
  2. Save a copy of the database.
  3. Save the server access logs for the time of the hack (they may be available in the “logs” directory on the server, in your host’s control panel or only by request directly from your host).
  4. File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
Attach a copy of the .rtf file (Report) to the ticket.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5657
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: Security! Oh lord, this doesn't look good.

Post by Marc »

Thanks for posting the report. It actually shows exactly why these kind of tools are not helpful with identifying security issues in more complex apps. All the issues it reported are completely bogus.

Serves very well in making me laugh this morning though. :lol:
Jef Horians
Registered User
Posts: 40
Joined: Tue Jul 25, 2017 12:32 pm

Re: Security! Oh lord, this doesn't look good.

Post by Jef Horians »

Thank you for your answer.

I ran the trial version of Acunetix and it indeed did only show some minor issues that can't be used for exploitation.
But is it true that you can read the database for users although Members is hidden at the login page?
When i logged in after the IronWASP test i had to do the captcha all the time which stopped after about 6 hours (21600 sec, "IP address login attempt expiration time:" setting).
The forum is going to be used for research and has to be completely hidden. There should be no leakage of usernames or whatsoever.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72343
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Security! Oh lord, this doesn't look good.

Post by KevC »

Jef Horians wrote: Thu Aug 24, 2017 10:10 am But is it true that you can read the database for users although Members is hidden at the login page?
Log out and try it yourself.
The default guest group settings do not allow visitors to view the memberlist. It's been like that since 3.0

You can even put /memberlist.php in the URL and see what it shows you.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
Jef Horians
Registered User
Posts: 40
Joined: Tue Jul 25, 2017 12:32 pm

Re: Security! Oh lord, this doesn't look good.

Post by Jef Horians »

No, have to login to see the members.
Must be my mind playing tricks on me.
Thank you.
Jef Horians
Registered User
Posts: 40
Joined: Tue Jul 25, 2017 12:32 pm

Re: Security! Oh lord, this doesn't look good.

Post by Jef Horians »

Well it's not my mind playing tricks on me.
Tried it again. Ran IronWASP an all users have to do the captcha.
Is there some kind of logging for this?
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52768
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Security! Oh lord, this doesn't look good.

Post by stevemaury »

Tried it again. Ran IronWASP an all users have to do the captcha.
What does that mean? What is "it"? What is "Ironwasp"? What is "the captcha"? When do the users have to do whatever that is?

Do you have CAPTCHA enabled for Guest posting? Are you using the Newly Registered users group?

Please fill out the Support Request Template and post it back here to enable us to assist you better.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
Jef Horians
Registered User
Posts: 40
Joined: Tue Jul 25, 2017 12:32 pm

Re: Security! Oh lord, this doesn't look good.

Post by Jef Horians »

Support Request Template
What version of phpBB are you using? phpBB 3.2.1
What is your board's URL? https://u16869p15534.web0119.zxcs.nl/phpbb/
Who do you host your board with? Vimexx
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Fresh Install
Is registration required to reproduce this issue? No
Do you have any MODs installed? No
Do you have any extensions installed? No
What styles do you currently have installed? Prosilver
What language(s) is your board currently using? English
Which database type/version are you using? MariaDB
What is your level of experience? New to PHP and phpBB
What actions did you take (updating your board; installing a MOD, style or extension; etc.) prior to this problem becoming noticeable? No answer given
Please describe your problem. Normally when i or another users logs in i don't have to fill in CAPTCHA.
When i run IronWASP https://ironwasp.org/ i and other users have to fill in CAPTCHA.
Seems like IronsWASP is able to 'see' which users are in the database and tries to do some kind of brute force attack to crack passwords.
Generated by SRT Generator
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72343
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Security! Oh lord, this doesn't look good.

Post by KevC »

When a password has been incorrectly entered 3 times you have to solve a captcha to log in. I suspect this ironwasp thing is trying to solve logins and failing, thus triggering the extra security step of having to solve the captcha.

Ignore it, stop running it. It's already been explained that the results are nonsense. It is not accessing anything in the database. Go and enjoy your board.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Security! Oh lord, this doesn't look good.

Post by Brf »

The question is how it knows which usernames to try.

Are you sure it is locking out usernames, or just IP addresses? Have other users been complaining, or are you just testing from one address?
Jef Horians
Registered User
Posts: 40
Joined: Tue Jul 25, 2017 12:32 pm

Re: Security! Oh lord, this doesn't look good.

Post by Jef Horians »

Seems like running IronWASP and logging in from the same IP causes this issue.
I used RDP to log into a remote server, logged into the board and i don't have to fill in CAPTCHA.
Still, is it possible to see who logged in when?
Thanks for helping me out.
Post Reply

Return to “[3.2.x] Support Forum”