phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

The Final phpBB 2 Security Vulnerability
1 members found this topic helpful
Goto page 1, 2, 3 ... 12, 13, 14  Next
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Sun Jan 25, 2009 10:56 pm 
Post subject: The Final phpBB 2 Security Vulnerability

Well, I've finally found what it is. This has been mentioned on the phpbb.com forums and I had been wondering what it is. As of phpBB 2.0.23 (the latest version) this vulnerability remains unfixed, though there are some changes in the CVS code.

As it has already been published, I will link to it here: http://seclists.org/bugtraq/2008/Mar/0246.html
and in the NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7143

The point is to inform all phpBB 2 board owners that there is still one more security vulnerability.

But there's no point on divulging it if no fix is provided.

Revision 8479 of bbcode.php includes this new code:

Code:

/**
* Disables the img tag for privileged pages. It also implements a compability hack for old templates.
*/
function get_image_tag_replacement($bbcode_tpl)
{
   global $lang, $HTTP_POST_VARS, $HTTP_GET_VARS;
   $bb_tmpl = '';
   if (isset($HTTP_POST_VARS['p_sid']))
   {
      if (isset($bbcode_tpl['p_img']))
      {
         $bb_tmpl = str_replace('{L_PRIV_IMG}', $lang['Priv_Img'], $bbcode_tpl['p_img']);
      }
      else
      {
         $bb_tmpl = $lang['Priv_Img'] . ': {URL}';
      }
   }
   else
   {
      $bb_tmpl = $bbcode_tpl['img'];
   }
   return $bb_tmpl;
}

There are also some changes in the modcp.php page to invoke this code: http://code.phpbb.com/repositories/diff/5/branches/phpBB-2_0_0/phpBB/modcp.php?rev=8457&rev_to=6772
In addition, a private session ID is added: http://code.phpbb.com/repositories/diff/5/branches/phpBB-2_0_0/phpBB/includes/sessions.php?rev=8457&rev_to=5930

Hopefully, if the necessary changes are released (and they are not simple), we can put this security vulnerability to rest.
Back to top
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Mon Jan 26, 2009 1:40 am 
Post subject: Re: The Final phpBB 2 Security Error

Until a workaround is found and installed, I assume that implies that if no topic is ever closed, (or one that contains an image posted by a hacker, is never closed), then the issue is moot - or am I overlooking something?

Thanks for the heads up.
Back to top
espicom
Board Member



Joined: 24 Nov 2008

Posts: 55
Location: Woodstock, IL


flag
PostPosted: Mon Jan 26, 2009 4:09 am 
Post subject: Re: The Final phpBB 2 Security Error

It really looks as if the window for exploitation would be closed if you immediately logged out after closing a topic, destroying the session ID before it could be exploited.

Or you could disable sending the referrer information in your browser if using the modcp.

But, I thought the session was tied to the IP, and, with normal configuration, the attacker would have to be on the same subnet to exploit?
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Mon Jan 26, 2009 12:05 pm 
Post subject: Re: The Final phpBB 2 Security Error

Too bad phpBB2 was abandoned by the autors. icon_sad.gif
_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Jan 26, 2009 2:41 pm 
Post subject: Re: The Final phpBB 2 Security Error

espicom wrote:

But, I thought the session was tied to the IP, and, with normal configuration, the attacker would have to be on the same subnet to exploit?

Yes, I had that same doubt. But the method the attacker would use would be CSRF. He wouldn't need to connect, just have the target load a page with some Javascript or some such thing in his browser.

The interesting thing to note is that I read in one of these descriptions of the exploit that exposure of phpBB 3's SID is not quite as compromising as it would be on phpBB 2. Here it is:
Quote:

2008-04-15: Updated "Description" and "Solution" sections. According to the vendor, SIDs are not sensitive information in version 3.x. Leaked SIDs can therefore not be used to conduct further attacks.

http://secunia.com/advisories/18693/

roadhog wrote:
Until a workaround is found and installed, I assume that implies that if no topic is ever closed, (or one that contains an image posted by a hacker, is never closed), then the issue is moot - or am I overlooking something?

If you never use the ModCP, then you are OK. The fix to this security error is to implement a private session ID which is only used to access the ModCP.
Back to top
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Mon Jan 26, 2009 5:47 pm 
Post subject: Re: The Final phpBB 2 Security Error

Could some sort of test to detect certain common characteristics of inappropriate scripts within image files be used to work around such an exploit?

Also, isn't setting one's browser preferences to clear cookies at the close of each session helpful for minimizing this risk, (assuming that one remembers to log out after each session)? Wouldn't that narrow the window of opportunity?
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Jan 26, 2009 6:41 pm 
Post subject: Re: The Final phpBB 2 Security Error

roadhog wrote:
Could some sort of test to detect certain common characteristics of inappropriate scripts within image files be used to work around such an exploit?

Nope. It doesn't matter what the image is. Nothing special. How this works is that you host the image on your server, and then when the admin or moderator loads the split topic or other ModCP page, this image gets loaded off of your server and the referrer is sent, which contains the admin or moderator's session ID.

Then what you do, is you make a page/link which contains this session ID (which you got from looking at your access logs). The moderator/admin loads it (you'd have to convince them to do so), and there would be some Javascript which will execute a malicious request, such as deleting a topic or post. This request would send the session ID which is required in the URL to use the ModCP/AdminCP, and then since the admin/moderator himself is loading this page, his own cookie data gets sent, thus the exploit is complete.

If you have a lucky day and you get an administrator's session ID, well then you can do just about anything!

This whole exploit relies on social engineering.
Quote:

Also, isn't setting one's browser preferences to clear cookies at the close of each session helpful for minimizing this risk, (assuming that one remembers to log out after each session)? Wouldn't that narrow the window of opportunity?

Yes, if you log out, then this attack cannot work, so the attacker would have to try again.
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 548
Location: North West UK


flag
PostPosted: Mon Jan 26, 2009 7:41 pm 
Post subject: Re: The Final phpBB 2 Security Error

Is this exploit making use of a weakness in IE or is it all browsers the Admin might be using?
I do recall an exploit making use of images before (as small as 1 pixel square) but Firefox was imune.

Jim
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Mon Jan 26, 2009 7:54 pm 
Post subject: Re: The Final phpBB 2 Security Error

I am very interested in two things.
1.Is there any way I can scan my board for vulnerabilityes? Maybe on some smart website... I have 50 MODs installed and I can not know how safe they are. icon_smile.gif
2.The best way to stop the exploit you guys talk about is just to try it out. So you have to find that java or what it is and try to see if you can hack your own board. Then, you can do whatever tricks you think is necesary and then just keep trying to see if you still can hack your board. This is something that everyone could do this for himself. For example, we can try to make some code changes to not load images when using Mod CP, but only show the IMG code. icon_wink.gif I think this can be solved, but you just need that exploit to test it on our MODs, but when we find it, we can not just post it here to everyone to see, because it can be used by malicious persons, so we have to be sure that only the active trusted members will get it, and then we can tell others what we've found. icon_cool.gif

_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Jan 26, 2009 7:58 pm 
Post subject: Re: The Final phpBB 2 Security Error

Jim_UK wrote:
Is this exploit making use of a weakness in IE or is it all browsers the Admin might be using?
I do recall an exploit making use of images before (as small as 1 pixel square) but Firefox was imune.

Jim

Any browser which has both Javascript AND sends referrer data is vulnerable. At minimum, the browser need only send referrer data when loading an image to be vulnerable. Some browsers such as FireFox have the option (or an add-on) to disable the submission of that datum. Javascript just makes a CSRF attack easier to carry out.

Sylver Cheetah 53 wrote:
I am very interested in two things.
1.Is there any way I can scan my board for vulnerabilityes? Maybe on some smart website... I have 50 MODs installed and I can not know how safe they are. icon_smile.gif

You or someone you know would have to look over all the code. There's no automated tool. Put simply, a knowledge of how things work is the only way to be sure.
Quote:

2.For example, we can try to make some code changes to not load images when using Mod CP, but only show the IMG code. icon_wink.gif

That's exactly what code changes are in store for phpBB 2.0.24 if it ever officially released. When you're in the ModCP, the BBCode img tag gets a change to just show the plaint-text URL of the image.

Even if 2.0.24 is not officially released, those code changes are online at the links I listed in my first post, or I also happen to have a complete copy of 2.0.24 which I downloaded last night. In other words, they can be implemented today, and probably should be done as soon as possible. Since this exploit was discovered in March of 2008, I'm sure it's been well-tested since then.
Back to top
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Mon Jan 26, 2009 8:31 pm 
Post subject: Re: The Final phpBB 2 Security Error

I can't find anything in Firefox about referrer data, nor in the Firefox knowledgebase. The only add-on that seems to apply is only listed for versions 1.5 - 2.0.0.*, and most of us, I would assume, are using version 3.0.5.

Quote:
ReloadWithReferrer 0.1
by roje
experimental

Categories

* Other

Globally stops sending of the referrer (referer) data.
Some pages prevent loading images when no referrer was sent. Such and other problem pages can be reloaded with referrer data temporarily turned on, using the context menu item "Reload w/ Referrer".

Not yet rated

Updated July 4, 2007
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 548
Location: North West UK


flag
PostPosted: Mon Jan 26, 2009 8:33 pm 
Post subject: Re: The Final phpBB 2 Security Error

Has anyone implemented the changes linked to in the first post and if so were there any issues that followed?
I ask that as just about every update seems to produce a rash of posts were folks have found problems or incompatibilities with some other change they have made.
Does installing those changes remove the boards susceptibility to this exploit or were the changes for some other reason?


Jim
Back to top
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Mon Jan 26, 2009 8:50 pm 
Post subject: Re: The Final phpBB 2 Security Error

I was just about to post the same questions. icon_lol.gif
Back to top
espicom
Board Member



Joined: 24 Nov 2008

Posts: 55
Location: Woodstock, IL


flag
PostPosted: Mon Jan 26, 2009 8:52 pm 
Post subject: Re: The Final phpBB 2 Security Error

There are multiple ways to disable sending referrer data in FireFox. One is to install the Web Developer Toolkit, which puts it under "Disable" on the tool bar. You can do it by editing the about:config data. And several other Add-ons selectively enable/disable it.

Alternatively, you can disable loading images, which is a menu item, when/if you use the MODCP, under Tools/Options/Content (Edit/Preferences/Content for non-Windows users).
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Jan 26, 2009 9:26 pm 
Post subject: Re: The Final phpBB 2 Security Error

Jim_UK wrote:
Has anyone implemented the changes linked to in the first post and if so were there any issues that followed?
Does installing those changes remove the boards susceptibility to this exploit or were the changes for some other reason?

Last night, I downloaded all of the phpBB 2.0.24 CVS code and installed it on my computer. It incorporates the fix to the exploit, and fixes a bug in the keyword search system. There may be other changes/fixes as well, but I do not know what they are if so. I sent a PM an hour ago to Kellanved to which he replied saying "It's untested but should largely work"

However, there is no file listing all the changes from 2.0.23 to 2.0.24 CVS, so you'd need to diff them out and make a patch file. I will be doing this work shortly, and will make a standard phpBB MOD template file with the changes if phpBB 2.0.24 is not officially released. Remember, the last possible day is 1st of Feb, which is quite soon.

These changes should not introduce any incompatibilities with MODs or any other such thing. The files which receive changes include:
sessions.php - which implements a private session ID
viewtopic.php - adds this "p_sid" to the ModCP URLs
modcp.php - uses the p_sid instead of usual sid
bbcode.php - implements a change to the img tag if p_sid is set - will show the URL of the image instead of the picture
templates/*/bbcode.tpl - adds a new p_img tag for the bbcode change

roadhog wrote:
I can't find anything in Firefox about referrer data, nor in the Firefox knowledgebase.
Enter URL - about:config then look to this setting: network.http.sendRefererHeader
I assume that setting the value to 0 will disable it.
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 1 of 14 All times are GMT
Goto page 1, 2, 3 ... 12, 13, 14  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0310 seconds using 16 queries. (SQL 0.0022 Parse 0.0010 Other 0.0278)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo