Cookie pollution causes "Hacking Attempt!" under 2

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Registered User
Posts: 2
Joined: Sun Jul 02, 2006 6:59 am

Cookie pollution causes "Hacking Attempt!" under 2

Post by waka0831 »

Your phpBB board URL:
Template(s) used: subSilver
Any and all MODs: Admin User List
Do you use a port of phpBB: No.
Version of phpBB: 2.0.21
Version of PHP: 4.3.0
Which database server and version: MySQL, 3.23.56
Did someone install this for you/who: Did it myself.
Is this an upgrade/from what to what: This appears to be a post 2.0.20 to 2.0.21 problem
Is this a conversion/from what to what: Nope.
Have you searched for your problem: Yes
If so, what terms did you try: "hacking attempt"
State the nature of your problem:

My phpBB 2.0.21 install looks like this:

My code in /blog/ writes cookies to the client under the address. Under phpBB 2.0.21, once one of these cookies is written, the following code in common.php causes the board to die immediately with the "Hacking Attempt!" message:

Code: Select all

// PHP4+ path

	// Not only will array_merge give a warning if a parameter
	// is not an array, it will actually fail. So we check if
	// HTTP_SESSION_VARS has been initialised.
	if (!isset($HTTP_SESSION_VARS) || !is_array($HTTP_SESSION_VARS))
		$HTTP_SESSION_VARS = array();

	// Merge all into one extremely huge array; unset
	// this later


	while (list($var,) = @each($input))
		if (in_array($var, $not_unset))
			die('Hacking attempt!');

I don't really understand what this code is doing, but removing local cookies from the /blog/ folder corrects the problem. This isn't a real solution, however, as the blog code needs to routinely write cookies. Perhaps $HTTP_COOKIE_VARS contains the blog data, and this causes phpBB to fail?

Do you have a test account for us: No, the problem doesn't require a login.

Reproduction steps:
1) Go to
2) Click on "Horror Games" at the left, choose any title from the list, and click "Vote for this Game!" under the green bars.
3) On the voting page, just submit the default selections.
4) Click on "Forum" in the left navigation bar
5) Observe the "Hacking Attempt!" message
6) You will have a cookie from scoped to /sh. It will be named a number and will contain some value. Erase it.
7) Reload the forum page and notice that everything is working normally.

Thank you for the assistance!

Registered User
Posts: 815
Joined: Sun Mar 26, 2006 5:43 am
Location: Australia

Post by Timtam1234 »

Run the cookies mod in my sig, it may help.., Cant hurt.
User avatar
Registered User
Posts: 1383
Joined: Sun Jan 29, 2006 8:42 pm
Location: Lancashire
Name: Tony

Re: Cookie pollution causes "Hacking Attempt!" und

Post by T0ny »

waka0831 wrote: I don't really understand what this code is doing

It's protecting you from the dangers of having register_globals enabled on your server :)

However, it's misfiring when a cookie (or GET or POST) variable has a name that contains only digits. The array_merge() function changes these to numeric indexes (0, 1, 2 etc) the first of which (0) when passed to in_array() causes it to always match i.e. in_array(0, $not_unset) = TRUE

The fix is to enable strict type checking by changing the line

Code: Select all

if (in_array($var, $not_unset))

Code: Select all

if (in_array($var, $not_unset, TRUE))
You can check that the register_globals protection is still working by opening a topic and adding &phpEx=1 to the end of the URL, which should give you a 'hacking attempt' message
Registered User
Posts: 2
Joined: Sun Jul 02, 2006 6:59 am

Post by waka0831 »

Awesome, thanks for the tip. Problem solved!


Return to “2.0.x Support Forum”