Exploit Vulnerablity Found in 2.0.18: you MUST disable HTML!

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
clubchill
Registered User
Posts: 90
Joined: Fri Oct 21, 2005 10:50 am

Exploit Vulnerablity Found in 2.0.18: you MUST disable HTML!

Post by clubchill »

Exploit Targets New phpBB 2.0.18 Security Hole

An exploit has been released for a new security hole in phpBB 2.0.18, the popular web forum software. The attack has the potential to compromise any phpBB 2.0.18 installation that has enabled the use of HTML in forum messages, a setting which is disabled in the default configuration. Allowing HTML in forms poses a security risk, but is popular with forum participants and thus may be activated by some web site operators. The vulnerability in version 2.0.18 was was featured on security sites Monday, and exploit code is now in the wild, according to the Internet Storm Center, which noted that "an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users." The exploit can be defended if phpBB's "Allow HTML" and register_globals settings are both disabled

Some web hosts have banned the use of phpBB, citing ongoing security problems. Hackers often seek out vulnerabilities in forum software, which typically offers many fields that all must check input to detect malicious code.

PHP, an open source server-side scripting language, is widely used to power web applications that connect with databases such as MySQL, and is commonly bunded with shared hosting accounts offered by web hosting providers. phpBB is among the web's most popular bulletin board programs, with more than 224,000 registered members of its user forum. A number of web hosts offer phpBB as an account add-on that can easily be installed by users.
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

Old news. The HTML vulnerability is in Internet Explorer, and it's PHPBB's problem because some people enable HTML. If you're worried about it, disable HTML, like most of us, and the attack won't be able to work. I haven't had HTML enabled on a forum in years. Brute-force password attacks are nothing new, just made easier by the information an IE user can reveal without knowing it.

Of course, I'm not trying to annoy users by enabling FLASH and automatic music, like some users. :wink:
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer
SmartSquid399
Registered User
Posts: 98
Joined: Fri Jul 08, 2005 6:13 pm
Contact:

Post by SmartSquid399 »

It's not really phpBB's fault, it's IE's. Internet Explorer has so many security holes that I'm suprised there's only one major vulnerability out involving it.
Notepad2 || FireFox

I'm here to help with: PHP, phpBB (obviously), Server Set-up, HTML, CSS, and JavaScript.
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

Did you see where Microsoft is "strenuously objecting" to efforts by ISPs to block internet access to compromised computers? They're afraid it will kick all the Windows users off the net! 8)
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer
clubchill
Registered User
Posts: 90
Joined: Fri Oct 21, 2005 10:50 am

Post by clubchill »

espicom wrote: Old news. The HTML vulnerability is in Internet Explorer, and it's PHPBB's problem because some people enable HTML. If you're worried about it, disable HTML, like most of us, and the attack won't be able to work. I haven't had HTML enabled on a forum in years. Brute-force password attacks are nothing new, just made easier by the information an IE user can reveal without knowing it.

Of course, I'm not trying to annoy users by enabling FLASH and automatic music, like some users. :wink:


I understand, and these are very good points. However... the point that phpBB misses in all of this, is that you have to design your softare for "other" software.

Other software does not have to be designed for phpBB.

Do you suppose major industrial companies running mission-critical thinclient apps via the web will allow their passwords to be hacked because of an IE flaw??

Be for real.....

No, they design their products around the flaw, in such manner to protect the integrity of their data. Can you hack Pay-Pay passwords because of IE? Can you hack Amazon passwords because of IE? Can you hack Dell.com, or your local banks online-banking passwords because of IE?? No... but you can hack phpBB passwords because of IE though, cant you??

It looks bad on this community fellas.

Why?

Because phpBB is designed with an "i-dont-care" attitude, and it shows in the number of vulnerabilities in this software.

phpBB development needs to take a full "Corporate" approach in their design, and treat this software as if though it were set up to guard a million dollars.

Until then............ anything goes.

Because just like you said "Old News"... guess what.... it was "Old News" that Microsft's Internet Explorer was flawed.... but what did phpBB do?

They still developed untop of that flaw like they really didn't give a damn.

And thats wrong.
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

You can not design for problems you do not know about. Internet Explorer has a bug that will allow someone to send it an "image" that is really a program, and compromise it. PHPBB tries to fix that by limiting what can appear in an IMG tag, but it isn't enough - if someone has access to a server, you can build a legal URL that will look like an image file (no script references or other suspicious content), even be verifiable to contain an image when checked, and yet still send a compromise program to a real IE user. How is this PHPBB's fault? How does taking a "corporate attitude" towards the problem fix Internet Explorer?

You can only protect IE users by eliminating any possibility of anyone other than yourself providing content to your site. You can not provide links to external pages or images, especially those that can be provided by others; if it isn't on your server, you don't control it, and you can not protect IE users from it. It's as simple as that.

The problem is that "the world wide web" is all about links, and that's where the security of Internet Explorer falls apart. It's too trusting of content - if I send a file "bob.jpg" to IE, and it's really a executable, IE will execute it, rather than deciding it's a bad JPG file. Oops! Fix PHPBB!

IE has so many flaws that have yet to be discovered (or publicised) that it could be years before everyone "protects" IE users "enough", but Microsoft keeps introducing new flaws, with each new version. Can you tell me what the PHPBB development team will need to change in PHPBB to be ready to protect IE 7 users?
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer
clubchill
Registered User
Posts: 90
Joined: Fri Oct 21, 2005 10:50 am

Post by clubchill »

espicom wrote: You can not design for problems you do not know about. Internet Explorer has a bug that will allow someone to send it an "image" that is really a program, and compromise it. PHPBB tries to fix that by limiting what can appear in an IMG tag, but it isn't enough - if someone has access to a server, you can build a legal URL that will look like an image file (no script references or other suspicious content), even be verifiable to contain an image when checked, and yet still send a compromise program to a real IE user. How is this PHPBB's fault? How does taking a "corporate attitude" towards the problem fix Internet Explorer?

You can only protect IE users by eliminating any possibility of anyone other than yourself providing content to your site. You can not provide links to external pages or images, especially those that can be provided by others; if it isn't on your server, you don't control it, and you can not protect IE users from it. It's as simple as that.

The problem is that "the world wide web" is all about links, and that's where the security of Internet Explorer falls apart. It's too trusting of content - if I send a file "bob.jpg" to IE, and it's really a executable, IE will execute it, rather than deciding it's a bad JPG file. Oops! Fix PHPBB!

IE has so many flaws that have yet to be discovered (or publicised) that it could be years before everyone "protects" IE users "enough", but Microsoft keeps introducing new flaws, with each new version. Can you tell me what the PHPBB development team will need to change in PHPBB to be ready to protect IE 7 users?


lol.. thats the whole purpose of server-side scripting, you process the data"Before" its sent to the browser.... hello?

PHP has functions that can verify the reliability of a file, such as in the jpg scenario you mentioned, and if its a bad file then it can be scripted to not even send the file to the browser. Thats the whole point of PHP..... "HTML Processing"

Why would you let Internet Explorer execute a potentially bad file, when you can verify its legitamacy server-side before even sending it to the browser?

Do you suppose these companies like banks, and investment firms that run web-apps for their clients will allow a bad .jpg or a bad .txt or a bad .mp3 or .swf to be served to the browser and compromise their data.

If it wasn't so, I'd agree with you. But the evidence of secure webapplication development on the internet is too vast for your argument to hold true..

Lol.. and need I mention some other BulletinBoard systems that use PHP and mySQL too, but don't have these vulnerability issues?

haha.. you dont want me to go there do you..
User avatar
itsonlybarney
Registered User
Posts: 238
Joined: Sun Apr 10, 2005 5:06 am
Location: /home/Sydney/public_html
Contact:

Post by itsonlybarney »

i just want clarification. From what I have read you are saying that phPBB has a 'flaw' because it will open an 'image' file that may be an executable program. Is that right? but your also saying that because phpBB is run on a PHP server that the PHP should be able to detect whether the 'image', in a signature or a post, is an executable. From my understanding the signatures in posts and images are generally stored outside the phpBB server and therefore PHP can't determine whether or not the 'image' is really an executable file.
Enjoy talking about trains?
clubchill
Registered User
Posts: 90
Joined: Fri Oct 21, 2005 10:50 am

Post by clubchill »

itsonlybarney wrote: i just want clarification. From what I have read you are saying that phPBB has a 'flaw' because it will open an 'image' file that may be an executable program. Is that right? but your also saying that because phpBB is run on a PHP server that the PHP should be able to detect whether the 'image', in a signature or a post, is an executable. From my understanding the signatures in posts and images are generally stored outside the phpBB server and therefore PHP can't determine whether or not the 'image' is really an executable file.


Barney, code can't do anything unless its programmed to do so. phpBB developers aren't developing necessary security checks. They're only plugging them after they've been discovered. Not prior.
clubchill
Registered User
Posts: 90
Joined: Fri Oct 21, 2005 10:50 am

Post by clubchill »

lol.. I guess I won this debate, huh?

No counterpoints? hehehe
IndieDesigns
Registered User
Posts: 401
Joined: Wed Oct 19, 2005 12:28 pm
Location: phpbb_users
Contact:

Post by IndieDesigns »

clubchill wrote: lol.. I guess I won this debate, huh?

No counterpoints? hehehe


Want a counterpoint? this is a Support Forum so why not either post something you need support for (like the logout sid issue) or go help someone. All you're doing is taking time away from people who need support by trying to get all the regulars here on defense. This thread would belong more in phpbb discussion, not support. :roll:

---Indie
~ Mods/Hacks Installed, Unique Templates, Updates and Repairs... Professional Service, Reasonable Rates. ~ PM or Email Me ~Large Databases Repaired and Restored ~ Get Nicely Hosted ~
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

clubchill wrote: lol.. I guess I won this debate, huh?

No counterpoints? hehehe


Can't win just because people have jobs to attend to. From Slashdot, posted just hours ago:
"Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""


So, should we post this as yet another vulnerability in PHPBB? All it takes is a URL to a server under the control of an attacker, preferably in an image tag, to make it look innocent. And, like I have said previously, short of disabling all BBCode as well as HTML, PHPBB can't prevent it from happening. Heck, even if I write code in PHPBB to immediately request the remote link, analyze what is returned by it, there is no guarantee that the user will get the same thing returned to their browser.

Same goes for remote avatars... Disable them immediately, and remove support for it from PHPBB, because it's a vulnerability that PHPBB must protect IE users from!

I know - make PHPBB smart enough that if the user agent is any version of Internet Explorer, it returns a text-only page, no HTML, no links, nothing that IE can interpret as a link, or whatever... Yeah, that's the way to protect them! Give them a safe surfing environment.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer
User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Post by karlsemple »

having read this topic from start to finish i still dont see what this has to do with phpbb...... you cant possibly find a flaw in one program and then blame it on the developers from another :roll: As stated a trillions times and then some...any internet user really worried about security would throw 99% of microsofts products straight in the bin let alone use them. IE being the first and worst to go, when will you security concerned folks start using firefox.
Image
Blankety Blank Man
Registered User
Posts: 881
Joined: Wed Mar 30, 2005 3:54 am

Post by Blankety Blank Man »

clubchill wrote: lol.. thats the whole purpose of server-side scripting, you process the data"Before" its sent to the browser.... hello?

PHP has functions that can verify the reliability of a file, such as in the jpg scenario you mentioned, and if its a bad file then it can be scripted to not even send the file to the browser. Thats the whole point of PHP..... "HTML Processing"
Actually it's PHP Hypertext Processor now, and Personal Home Page in the past ;)

As far as things that are actually important go, I'd like to see you submit a code segment that will analyze the content of each link on the page, especially images, and scan for viri. The only way I can see that code working would be to open a socket to the file being linked to, and compare it against a database of viri. That would, of course, require that the target allow incoming socket connections in that manner, the phpBB host allow the outgoing socket, the PHP version containing the function to do that, and, of course, a rather large amount of time that the end user would not like to spend waiting for a page to load
justbrowsing
Registered User
Posts: 5
Joined: Thu Dec 29, 2005 7:39 am

Post by justbrowsing »

my monitor colors are messed up. phpbb shows up with funny colors. support team - please fix this!!! it is a flaw in your program not to accomodate my monitor...
Locked

Return to “2.0.x Support Forum”