PHP Exploit

Website announcements.

Moderator: Moderators

PHP Exploit

Postby PostBot on Sat Dec 18, 2004 4:29 pm

Note: To avoid confusion: this thread is not about highlight exploit. And it is not another bug in phpBB - it is bug in PHP.

--------------------------
A serious bug was discovered in php in function unserialize(). That bug can be used to cause serious damage to websites that use software that uses that function.

Unfortunately phpBB uses that function to store data in cookies, so phpBB can be exploited (so is IPB, vBulletin and almost all other php forum systems).

Affected php versions:
php 4.x up to 4.3.9 (bug fixed in 4.3.10)
php 5.x up to 5.0.2 (bug fixed in 5.0.3)


Solution:

Update php as soon as possible.


If you can't update php or want to secure forum before you updated then try this workaround:

(this workaround is my idea, not official phpBB solution. It already works on this very forum since 17 Dec 2004 and I haven't seen any problems, but there might be incompatibilities with some mods. phpBB uses serialize/unserialize only for numbers and md5 hashes so characters "|" and "=" are never used so this simple replacement works without problems.)

This workaround is also available in .mod format: viewtopic.php?t=1904

open includes/functions.php, find this:
Code: Select all
?>
and add before it:
Code: Select all
function serialize_array($array)
{
   if(!is_array($array))
   {
      return '';
   }
   $str = '';
   foreach($array as $var => $value)
   {
      if($str)
      {
         $str .= '|';
      }
      $str .= $var . '=' . str_replace('|', '', $value);
   }
   return $str;
}

function unserialize_array($str)
{
   $array = array();
   $list = explode('|', $str);
   for($i=0; $i<count($list); $i++)
   {
      $row = explode('=', $list[$i], 2);
      if(count($row) == 2)
      {
         $array[$row[0]] = $row[1];
      }
   }
   return $array;
}
then replace all serialize() and unserialize() in phpBB code with serialize_array() and unserialize_array().

Here is detailed list of all serialize/unserialize that present in phpBB 2.0.11:
open index.php, find this:[code start="70"]$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_t"]) : array();
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_f"]) : array();
[/code]and replace with this:[code start="70"]$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_t"]) : array();
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_f"]) : array();
[/code]open posting.php, find this:[code start="579"] $tracking_topics = ( !empty($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
$tracking_forums = ( !empty($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
[/code]and replace with this:[code start="579"] $tracking_topics = ( !empty($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
$tracking_forums = ( !empty($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
[/code]then find this:[code start="590"] setcookie($board_config['cookie_name'] . '_t', serialize($tracking_topics), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
[/code]and replace with this:[code start="590"] setcookie($board_config['cookie_name'] . '_t', serialize_array($tracking_topics), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
[/code]then open search.php, find this:[code start="669"] $result_array = serialize($store_search_data);
[/code]and replace with this:[code start="669"] $result_array = serialize_array($store_search_data);
[/code]then find this:[code start="704"] $search_data = unserialize($row['search_array']);
[/code]and replace with this:[code start="704"] $search_data = unserialize_array($row['search_array']);
[/code]then find this:[code start="836"] $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
[/code]and replace with this:[code start="836"] $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
[/code]then open viewforum.php, find this:[code start="136"] $tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
[/code]and replace with this:[code start="136"] $tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
[/code]then find this:[code start="149"] setcookie($board_config['cookie_name'] . '_f', serialize($tracking_forums), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
[/code]and replace with this:[code start="149"] setcookie($board_config['cookie_name'] . '_f', serialize_array($tracking_forums), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
[/code]then find this:[code start="165"]$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : '';
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : '';
[/code]and replace with this:[code start="165"]$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : '';
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : '';
[/code]then open viewtopic.php, find this:[code start="536"] $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
[/code]and replace with this:[code start="536"] $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
[/code]then find this:[code start="560"] setcookie($board_config['cookie_name'] . '_t', serialize($tracking_topics), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
[/code]and replace with this:[code start="560"] setcookie($board_config['cookie_name'] . '_t', serialize_array($tracking_topics), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
[/code]then open includes/sessions.php, find this:[code start="40"] $sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
[/code]and replace with this:[code start="40"] $sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize_array(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
[/code]then find this:[code start="188"] setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
[/code]and replace with this:[code start="188"] setcookie($cookiename . '_data', serialize_array($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
[/code]then find this:[code start="215"] $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
[/code]and replace with this:[code start="215"] $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ? unserialize_array(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
[/code]then find this:[code start="305"] setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
[/code]and replace with this:[code start="305"] setcookie($cookiename . '_data', serialize_array($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
[/code]
Do NOT pm me, I don't visit this forum anymore, don't own it, don't provide any support and don't moderate.
User avatar
PostBot
Moderator
Moderator
 
Posts: 10659
Joined: Sat Aug 02, 2003 3:52 pm
Location: Mars

Postby PostBot on Sat Dec 18, 2004 8:37 pm

update

Apply this patch immediately to your forum!!!!!!!!!!!!!

Exploit for phpBB was released and unfortunately exploit works. So very soon lots of script kiddies will be running around "hacking" forums. Hovewer, this workaround solves problem making exploit useless, so if you apply this patch you are quite safe.
Do NOT pm me, I don't visit this forum anymore, don't own it, don't provide any support and don't moderate.
User avatar
PostBot
Moderator
Moderator
 
Posts: 10659
Joined: Sat Aug 02, 2003 3:52 pm
Location: Mars


Return to Announcements

Who is online

Users browsing this forum: No registered users and 1 guest

cron