Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exploitation of phpBB highlight parameter vulnerability

Status
Not open for further replies.
os400

os400

MIS
Mar 20, 2003
129
US
If you are using phpBB v2.0.10 or earlier, you need to upgrade to v2.0.11.
**********************************************************

Technical Cyber Security Alert TA04-356A
Exploitation of phpBB highlight parameter vulnerability

Original release date: December 21, 2004
Last revised: --
Source: US-CERT

Systems Affected

phpBB versions 2.0.10 and prior

Overview

The software phpBB contains an input validation problem in how it processes a parameter contained in URLs. An intruder can deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board.

I. Description

phpBB is an open-source bulletin board application. It fails to properly perform an urldecode() on the "highlight" parameter supplied to viewtopic.php. This may allow a remote attacker to execute arbitrary commands on a vulnerable server.

According to reports, this vulnerability is being actively exploited by the Santy.A worm. The worm appears to propogate by searching for the keyword "viewtopic.php" in order to find vulnerable sites.

The worm writes itself to a file named "m1ho2of" on the compromised system. It then overwrites files ending with .htm, .php, .asp. shtm, .jsp, and .phtm replacing them with HTML content that defaces the web page. The worm then tries to use PERL to execute itself on the compromised system and propogate further.
US-CERT is tracking this issue as:

VU#497400 - phpBB viewtopic.php fails to properly sanitize input passed to the "highlight" parameter

II. Impact

A remote attacker may be able to deface a phpBB website and execute arbitrary commands on a compromised bulletin board.

III. Solution

Upgrade phpBB

Upgrade to phpBB verison 2.0.11 to prevent exploitation.

Appendix A. References

* US-CERT Vulnerability Note VU#497400 -
< * phpBB Downloads - < * phpBB Announcement -
< * Symantec Security Response - Perl.Santy -
< .html>
* McAfee - Computer Virus Software and Internet Security -
< 130471>
_________________________________________________________________

This vulnerability was reported by the phpBB Development Team.
_________________________________________________________________

Go to if you're using PHP-Nuke

Mike Butler
Iseries + Sun + PC = Tired Guy
"Never put off 'til tomorrow what you should have done yesterday
 
It's true that phpBB is affected. However, it's not just phpBB. Other forum boards are also affected.

More importantly, it's not just forums.
It's PHP itself where the problem originates.

The following is from phpBB web site:

Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course.

It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBB's config.php file. We therefore recommend the following:

1) If you maintain your own server be sure to upgrade to the newest available release of PHP (both versions 4 and 5). Be aware that at this time phpBB 2.0.x has problems functioning under PHP5 without modification.

2) If you pay for hosting ensure you hosting provider has upgraded thier installation of PHP (again remember that phpBB 2.0.x and other scripts will not function under PHP5 without modification).

Please do not submit this PHP issue to our security tracker, it is beyond our control. Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally please examine any "hacking" issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB). Remember, this is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions.
_________________
Click to expand...

____________________________
JustKIDn

____________________________
Families can be together forever...
 
Status
Not open for further replies.

Similar threads

EdLentz
  • Locked
  • Question
I need a simple example of how to send a table of info .
Replies
8
Views
330
EdLentz
EdLentz
PeDa
  • Locked
  • Question
POST Content-lLength of ... bytes exceeds the limit of 8388608 bytes in Unknown on line 0
Replies
4
Views
403
feherke
feherke
vie3548
  • Locked
  • Question
MEMO FIELD NULL INSTEAD OF EMPTY STRING
Replies
0
Views
112
vie3548
vie3548
PeDa
  • Locked
  • Question
unwanted spaces inserted into the middle of php-generated html email body 1
Replies
2
Views
142
PeDa
PeDa
PeDa
  • Locked
  • Question
Include URL with parameter in table generated by php
Replies
3
Views
326
PeDa
PeDa

Part and Inventory Search

Sponsor

Back
Top