PHPBB hack


23865371_e33ca6436f_b I saw the news on the Kaspersky blog: phpbb.com was hacked. Fortunately (?) the hack wasn’t done trough PHPBB, rather trough a vulnerable installation of PHPList. BTW, the Kaspersky blog gets it wrong: the hack wasn’t because register_globals was enable, but rather because PHPList contained code to emulate the functionality of register_globals.

More info:

  • The suspekt blog shows the vulnerable parts and also points out that is_file can return true for some URLs, not just local files
  • The Errata Security blog points out that this was a zero-day in some sense (vulnerability was disclosed on Milw0rm, but not yet patched by the authors of PHPList)
  • The hackedphpbb site seems to be written by the author of the hack himself (herself?) and describes step by step how the hack was performed

Conclusions? Patch, patch, patch. Follow milw0rm (and other similar lists) for applications which you use. Use layered defense. Proper usage of all the PHP security features would have prevented this. A useful tool is PhpSecInfo which contains security audit rules and verifies that proper settings are applied on your server.

register_globals can be disabled from the .htaccess file if you can’t modify php.ini directly:

php_flag register_globals off

If you can’t do even that, you can use a script like the one below in each of your pages:

if (ini_get('register_globals') == 'on') {
   foreach ($_REQUEST as $key => $val) {
      unset($key);
   }
}

These solutions are of course error-prone (and not strictly related to the PHPBB hack), but they are better than nothing.

Image taken from AdamR’s photostream whit permission.

,

2 responses to “PHPBB hack”

  1. I’m always afraid of “free solutions”. The same is with phpBB. Why don’t pay really few bucks and get vbulletin with all features. Safe reliable and hack safe (at least I think so)

  2. The security of things has nothing to do with how much they cost! It has everything to do with how much “skin in the game” the people involved in the development have. We tend to think that “commercial” software places a much higher importance on security because otherwise they would loose customers.

    However, the fact is that customers look for features, not for security! With open-source you get much more motivated people, how – even though have fewer resources – can do a much better job because they are motivated. A last point: with open source, you have the option to audit the code if you have the resources to do it. And yes, there are a lot of vBulletin exploits out there too, because some people have the attitude that keeping something closed source is spiting them, so they will hit closed source software harder.

    Just my 2c.