Cookie pollution causes "Hacking Attempt!" under 2

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
waka0831
Registered User
Posts: 2
Joined: Sun Jul 02, 2006 6:59 am

Cookie pollution causes "Hacking Attempt!" under 2

Post by waka0831 » Sun Jul 02, 2006 7:22 am

Your phpBB board URL: http://www.dreamdawn.com/sh/forum
Template(s) used: subSilver
Any and all MODs: Admin User List
Do you use a port of phpBB: No.
Version of phpBB: 2.0.21
Version of PHP: 4.3.0
Which database server and version: MySQL, 3.23.56
Host: http://www.westhost.com
Did someone install this for you/who: Did it myself.
Is this an upgrade/from what to what: This appears to be a post 2.0.20 to 2.0.21 problem
Is this a conversion/from what to what: Nope.
Have you searched for your problem: Yes
If so, what terms did you try: "hacking attempt"
State the nature of your problem:

My phpBB 2.0.21 install looks like this:

host.com/blog/phpBB

My code in /blog/ writes cookies to the client under the host.com/blog address. Under phpBB 2.0.21, once one of these cookies is written, the following code in common.php causes the board to die immediately with the "Hacking Attempt!" message:

Code: Select all

// PHP4+ path
	$not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS', 'HTTP_SESSION_VARS', 'HTTP_ENV_VARS', 'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');

	// Not only will array_merge give a warning if a parameter
	// is not an array, it will actually fail. So we check if
	// HTTP_SESSION_VARS has been initialised.
	if (!isset($HTTP_SESSION_VARS) || !is_array($HTTP_SESSION_VARS))
	{
		$HTTP_SESSION_VARS = array();
	}

	// Merge all into one extremely huge array; unset
	// this later
	$input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES);

	unset($input['input']);
	unset($input['not_unset']);

	while (list($var,) = @each($input))
	{
		if (in_array($var, $not_unset))
		{
			die('Hacking attempt!');
		}
		unset($$var);
	}

I don't really understand what this code is doing, but removing local cookies from the /blog/ folder corrects the problem. This isn't a real solution, however, as the blog code needs to routinely write cookies. Perhaps $HTTP_COOKIE_VARS contains the blog data, and this causes phpBB to fail?

Do you have a test account for us: No, the problem doesn't require a login.

Reproduction steps:
1) Go to http://www.dreamdawn.com/sh
2) Click on "Horror Games" at the left, choose any title from the list, and click "Vote for this Game!" under the green bars.
3) On the voting page, just submit the default selections.
4) Click on "Forum" in the left navigation bar
5) Observe the "Hacking Attempt!" message
6) You will have a cookie from dreamdawn.com scoped to /sh. It will be named a number and will contain some value. Erase it.
7) Reload the forum page and notice that everything is working normally.

Thank you for the assistance!

Chris

Timtam1234
Registered User
Posts: 815
Joined: Sun Mar 26, 2006 5:43 am
Location: Australia

Post by Timtam1234 » Sun Jul 02, 2006 7:29 am

Run the cookies mod in my sig, it may help.., Cant hurt.

User avatar
T0ny
Registered User
Posts: 1383
Joined: Sun Jan 29, 2006 8:42 pm
Location: Lancashire
Name: Tony

Re: Cookie pollution causes "Hacking Attempt!" und

Post by T0ny » Sun Jul 02, 2006 11:03 am

waka0831 wrote: I don't really understand what this code is doing


It's protecting you from the dangers of having register_globals enabled on your server :)

However, it's misfiring when a cookie (or GET or POST) variable has a name that contains only digits. The array_merge() function changes these to numeric indexes (0, 1, 2 etc) the first of which (0) when passed to in_array() causes it to always match i.e. in_array(0, $not_unset) = TRUE

The fix is to enable strict type checking by changing the line

Code: Select all

if (in_array($var, $not_unset))
to

Code: Select all

if (in_array($var, $not_unset, TRUE))
You can check that the register_globals protection is still working by opening a topic and adding &phpEx=1 to the end of the URL, which should give you a 'hacking attempt' message

waka0831
Registered User
Posts: 2
Joined: Sun Jul 02, 2006 6:59 am

Post by waka0831 » Mon Jul 03, 2006 5:50 am

Awesome, thanks for the tip. Problem solved!

Chris

Locked

Return to “2.0.x Support Forum”

Who is online

Users browsing this forum: No registered users and 24 guests