phpbb security issue

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
mjjk91
-


Joined: 03 Feb 2004
Posts: 75
Location: Australia

PostPosted: Sun Jan 23, 2005 1:41 pm    Post subject: phpbb security issue Reply with quote

G'Day All

I have recently run into a security issue with phpbb, and it has to do with unauthorized access into the administration section. The problem is, whenever a message is posted, certain words are not appearing as they should. For example, when someone posts a message with the word "and", it actually appears as the word "the", even though the word "and" is actually stored in the database! This problem is occuring because an unauthorized person is setting word replacements in the word censorship section. The following illustrations describe my point (sorry for the language in them, but its part of the problem):

-------------------------------------------------------------------------------------



This picture is the message that appears in the forum, after it is posted.



This is the data that is being inserted into the database, and this is what should actually be appearing on the forum.

-------------------------------------------------------------------------------------

As you can well see, this is a major security breach, and i would love some comments on it ASAP. Has anyone ever experienced anything like this? Do they know how to combat it? What is the best way to protect others getting into the admin section of the forum?

Thanks

Mick Koch
_________________
Back to top View user's profile Send private message Visit poster's website MSN Messenger
jmc
-


Joined: 12 Oct 2003
Posts: 34

PostPosted: Sun Jan 23, 2005 3:20 pm    Post subject: admin user Reply with quote

Hi, Mick!
Hello from windy Hartlepool, UK.
Couple of quick q's to assess your "un-hackability"... Are you using the current version (2.0.11) of phpBB? Have you set the image verification tool for registrations? (functional in the new package only in the subSilver theme... you have to "hack" any custom themes for it to work, but it's well worth the effort! If you don't have the time at the moment to do this, then I would seriously consider running your Forum in subSilver until you can!). Have you set registrations to require e-mail confirmation? (an absolute MUST if ya ask me!). Have you password-protected phpMyAdmin? And finally, are you using the php4.3.10 package (worms, old boy! LOL).
So... to fix the problem... First thing to do is try finding the culprit. I presume you are familiar with phpMyAdmin? If so, open up your phpBB database. In the left panel, click the phpbb_users title to open the table in the right panel. Now click to select the user_level row and click the "Browse" tab at the top. The resulting display shows all forum users. Scroll along until you see the user_level column and check all of the entries. An admin user is 1. All normal users are 0. When you find an unauthorised admin user, you should also see in this row his username, email addy, i.p. etc... all useful info for banning purposes! Take note of this info, open a new browser window, log in to your Forums, go to Admin and delete and ban his ass off!!! Or, you could delete his database entry first, then log in to Forums and ban his I.P. Whatever rings yer bell! Once you have done all this, change your phpMyAdmin password (just in case this is how he's getting in!) and your own phpBB Admin password.
BTW... all of the above is assuming he is an "unauthorised" admin... he may know YOUR password.... in which case, just change it and see what happens!
Good luck!
John Mc
Back to top View user's profile Send private message
richardyork
-


Joined: 22 Jun 2004
Posts: 387
Location: United Kingdom

PostPosted: Mon Jan 24, 2005 1:07 am    Post subject: Reply with quote

i noticed you are using phpbb2 2.0.6. upgrade to phpbb2 2.0.11! you are at a high risk of attacks using the latter version! just view this and you will see that there is a vulnerability, Aprelium got hacked!! http://www.aprelium.com/forum/viewtopic.php?p=33675#33675

Hope this helps!

Thank You!
_________________
Please SEARCH the forums BEFORE asking questions!
Back to top View user's profile Send private message Visit poster's website
mjjk91
-


Joined: 03 Feb 2004
Posts: 75
Location: Australia

PostPosted: Tue Jan 25, 2005 11:40 am    Post subject: Done Reply with quote

G'Day All,

Thanks for that fellas. I have now updated to the newest version of phpbb, and at this stage have had no problems.

I was unable to find the culprate. I had an idea of whom i thought it was, but they said it wasnt them. Im still not convinced.

Just one question, jmc, i have done everything in your message, but there was one thing i didnt understand:

Have you set the image verification tool for registrations? (functional in the new package only in the subSilver theme... you have to "hack" any custom themes for it to work, but it's well worth the effort!

I am not using the subSilver theme, and would like to keep the existing theme i have. So, how do i perform this task with the current theme i have? Any help would be awesome.

Also, one of my friends who knows a bit about how these things works, sent me an email describing what he thought was the problem with phpbb. I believe he was the one who hacked, but he has denied it. Anyways, have a read and see if you agree with him:

-------------------------------------------------------------------------------------

I have already located the forum you are using and now that I have had a look at it the one thing you need to know is that it has bugger all security.... The easiest way to get around this, itmight take a bit of work but, you need to rename all of your tpl files. At the moment by typing in the path to a directory, not hard to work out if you know what you are doing, you can directly access all information held by these files because I know what all of the names are. The only problem with this is that you have to also adjust the coding within ALL of these files so that when the code refers to say anything within "auth_forum_body.tpl" or its containing material the code will have been modified to adjust for these changes... Do you follow what I mean? If not just ask a couple of Q's But as far as I can see it would be pretty easy to change those little things as has happenned.

-------------------------------------------------------------------------------------

What do we think? Is he correct? Should this information be forwarded to phpbb, or do they already know about it?

Thanks everyone.

Mick Koch
http://www.joeysfc.com
_________________
Back to top View user's profile Send private message Visit poster's website MSN Messenger
jmc
-


Joined: 12 Oct 2003
Posts: 34

PostPosted: Tue Jan 25, 2005 8:14 pm    Post subject: rofl Reply with quote

I think he's talking bollox... and I'm sure phpBB.com would be very happy to hear his opinion that
Quote:
it has bugger all security....

However, I think I know what he is referring to... "Automatic Directory indexing"... Have you switched off the Auto Directory indexing option in your Console/Server Config/Advanced/Server Parameters section? If you don't, then anyone guessing the path to a directory which does not include an index.htm file will actually see the entire contents of the directory!
As for the phpbb "visual confirmation" tool, it may not be as difficult as I led you to believe... think I was getting myself a bit confused...LOL. Switch your forum to subsilver, then go back to admin and enable "Visual Confirmation" and save. Then switch back to your preferred style and try registering as a new user. I think you should then see the image verification appear.
And all of that combined should give you just about as secure a setup as you need for phpbb!
John Mc
Back to top View user's profile Send private message
senshi
-


Joined: 05 Nov 2003
Posts: 385
Location: UK

PostPosted: Tue Jan 25, 2005 10:41 pm    Post subject: Reply with quote

phpbb users and php, something that is a reccomended read from the php.net site regarding the worm thats taking advantage of a flaw in the phpbb code base.

http://www.php.net/security-note.php
Back to top View user's profile Send private message
jmc
-


Joined: 12 Oct 2003
Posts: 34

PostPosted: Wed Jan 26, 2005 12:54 am    Post subject: Who was really to blame? Reply with quote

Heh!
OK... maybe that should have read
Quote:
as secure a setup as you need for phpbb!

until the next script kiddie finds another exploitable hole in php/phpbb/whatever script you choose...
Quote:
confusion regarding the timing of some unrelated PHP security fixes

Hmm... Indeed... The question of whether phpbb or php itself was culpable, I will leave to more learned people than me!
On a side note, Mick, the visual confirmation is, at least, a start in the process of stopping "bot"/spammer registrations in your Forums. There are many more hints and tips in the phpbb.com forums if you're up to a bit of php/htaccess modding. Worth checking 'em out, particularly in the light of the recent onslaughts of bot traffic which are maxxing out people's bandwidth limits.
Of course, I get all of my best "Favourites" links from such spam... LOL
John Mc
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group