ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [phpsec] phpBB Multiple Vulnerabilities



> -----Original Message-----
> From: Administrator Chat-Net [mailto:admin@xxxxxxxxxxx] 
> Sent: Tuesday, November 01, 2005 12:33 AM
> To: phpsec@xxxxxxxxxxx
> Subject: [phpsec] phpBB Multiple Vulnerabilities
> 
> Haven't seen this in the Mailinglist, too
> 
> Security Advisory here: 
> http://www.hardened-php.net/advisory_172005.75.html
> phpBB Changelog here: 
> http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=336756
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>                          Hardened-PHP Project
>                          www.hardened-php.net
> 
>                        -= Security  Advisory =-
> 
> 
> 
>       Advisory: phpBB Multiple Vulnerabilities
>   Release Date: 2005/10/31
> Last Modified: 2005/10/31
>         Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]
> 
>    Application: phpBB <= 2.0.17
>       Severity: Multiple vulnerabilities allow XSS, SQL injection
>                 and remote code execution
>           Risk: Critical
> Vendor Status: Vendor has released an updated version
>     References: http://www.hardened-php.net/advisory_172005.75.html
> 
> 
> Overview:
> 
>     Quote from www.phpbb.com:
>     "phpBB is a high powered, fully scalable, and highly customizable
>     Open Source bulletin board package. phpBB has a user-friendly
>     interface, simple and straightforward administration panel, and
>     helpful FAQ. Based on the powerful PHP server language and your
>     choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database
>     servers, phpBB is the ideal free community solution for all
>     web sites."
> 
>     Because of our research into register_globals deregistration
>     codes, the implementation within phpBB was audited and several
>     weaknesses were found, that allowed to completely bypass the
>     protection on PHP5 servers.
> 
>     After these weaknesses were found and disclosed to the vendor
>     nearly 80 days ago, several problems with unitialised variables
>     were discovered that allow XSS, SQL injection and even remote
>     execution of arbitrary PHP code, when phpBB is used with
>     register_globals turned on.
> 
>     While register_globals=off is the recommended setting, most web-
>     hosters, even those that actually run PHP5, still have it
>     enabled because it is their customers wish.
> 
> 
> Details:
> 
>     To get rid of possible security problems caused by not properly
>     initialised variables phpBB comes with the following piece of
>     code, that is intended to deregister global variables, which were
>     created because of the register_globals directive. Unfortunately
>     there are atleast 3 ways to bypass the protection.
> 
>     // PHP4+ path
>     $not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS',
>                        'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS',
>                     'HTTP_SESSION_VARS', 'HTTP_ENV_VARS',
>                     'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');
> 
>     // Not only will array_merge give a warning if a parameter
>     // is not an array, it will actually fail. So we check if
>     // HTTP_SESSION_VARS has been initialised.
>     if (!isset($HTTP_SESSION_VARS))
>     {
>        $HTTP_SESSION_VARS = array();
>     }
> 
>     // Merge all into one extremely huge array; unset
>     // this later
>     $input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS,
>                          $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS,
>                       $HTTP_SESSION_VARS, $HTTP_ENV_VARS,
>                       $HTTP_POST_FILES);
> 
>     unset($input['input']);
>     unset($input['not_unset']);
> 
>     while (list($var,) = @each($input))
>     {
>        if (!in_array($var, $not_unset))
>        {
>           unset($$var);
>        }
>     }
> 
>     unset($input);
> 
> 
>     Bypass Vulnerabilities
>     ----------------------
> 
>     [1] In PHP5 <= 5.0.5 it is possible to register f.e. the global
>         variable $foobar by supplying a GET/POST/COOKIE variable
>         with the name 'foobar' but also by supplying a GPC variable
>         called 'GLOBALS[foobar]'. If the variable is supplied in
>         that way, the code above will not try to unset $foobar, but
>         $GLOBALS, which completely bypasses the protection.
> 
>     [2] When the session extension is not started by a call to
>         session_start(), PHP does not know about the variables
>         $_SESSION or $HTTP_SESSION_VARS, which means, it is possible
>         to fill them with any value if register_globals is turned on.
>         Combined with the fact (that was even documented in the phpBB
>         code), that array_merge() will fail in PHP5, when at least
>         one of the parameters is not an array, it is possible for an
>         attacker to simply set HTTP_SESSION_VARS to a string and let
>         the complete protection fail, because $input ends up empty.
> 
>     [3] When register_long_array is turned off PHP does not know
>         anymore about all the HTTP_* variables. This means they can
>         be filled with anything that is completely unrelated to the
>         existing global variables. It is obvious that the protection
>         cannot work, when this configuration is choosen.
> 
>     Additonally to the 3 possible ways to bypass the globals
>     deregistration code, several not properly initalised variables
>     were disclosed to the vendor, that can even lead to remote code
>     execution.
> 
>     Not properly initialised variables
>     ----------------------------------
> 
>     [1] Within usercp_register.php the variable 'error_msg' is not
>         properly initialised and can therefore be used to inject
>         arbitrary HTML code
> 
>     [2] Within login.php the variable 'forward_page' is not properly
>         initialised and can be used to inject arbitrary HTML code
> 
>     [3] Within search.php the variable 'list_cat' is not properly
>         initialised and can be used to inject arbitrary HTML
> 
>     [4] Within usercp_register.php the variable 'signature_bbcode_uid'
>         is not properly initialised and can be used for SQL injection
>         of arbitrary 'field=xxx' statements into queries operating
>         on the user table, when magic_quotes_gpc is turned off.
> 
>     [5] The same variable [4] can be used to inject f.e. the 'e'
>         modifier into the first parameter of a preg_replace()
>         statement, which means, that the second parameter is
>         evaluated as PHP code. Because the second parameter is
>         entirely filled with the user supplied signature, it is
>         possible to execute any PHP code. This can be exploited,
>         no matter if magic_quotes_gpc is turned on or off, just
>         2 different code paths need to be triggered.
> 
> 
> Proof of Concept:
> 
>     The Hardened-PHP project is not going to release exploits for any
>     of these vulnerabilities to the public.
> 
> 
> Disclosure Timeline:
> 
>     14. August 2005  - First contact with vendor through their
>                        security bugtracker.
>     30. October 2005 - Vendor released new version.
>     31. October 2005 - Public disclosure.
> 
> 
> Recommendation:
> 
>     It is strongly recommended to upgrade to the new phpBB release
>     or to switch to another bulletin board application.
> 
>     You can get the new phpBB release at:
> 
>     http://www.phpbb.com/downloads.php
> 
> 
> GPG-Key:
> 
>     http://www.hardened-php.net/hardened-php-signature-key.asc
> 
>     pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
>     Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 
> 14CC 0A86 4AA1
> 
> 
> Copyright 2005 Stefan Esser. All rights reserved.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQFDZWs2RDkUzAqGSqERAvFbAJ9ArGdOzvv2gcsAD0bbHgmcxkhXQQCgyplU
> ulFpBoL8zXpEsZA5m3TWopw=
> =u4eq
> -----END PGP SIGNATURE-----
> 
> - Michael
> 




 




Copyright © Lexa Software, 1996-2009.