Want Some Opinions

[Replies] [Reply] [View by Thread] [Help]
[Back To Security]

Ker JeiAr

www.gulftech.org/images/brute.jpg

Have you guys seen this?

www.phpbb.com/phpBB/viewtopic.php?f=14&t=183098

psoTFX
Development Team Leader

Joined: 03 Jul 2001
Posts: 8803
Location: Location? I don't need no stinking location ...
Posted: Mon Mar 22, 2004 1:06 pm Post subject: Recent "multiple vulnerabilities" post to bugtraq

--------------------------------------------------------------------------------

We've already had at least one email concerning this post to bugtraq, "Phpbb 2.0.7a And Earlier Secuity Issues" by "JeiAr <security@gulftech.org>".

As I made clear in correspondence with this user the issues raised are of very very low priority in mine and others opinions. I'll explain why ...

The issues noted concerning the admin scripts are effectively of no concern. To be able to take advantage of said vulnerabilities you must be an admin. If you're an admin why would you want to bother jumping through hoops to discover another users password? You could simply go in, set it to whatever you like and tada, off you go. I fail to see why a "shared hosting" environment increases the risks here. A board is tied to a database. I know of no host which gives all users the same database! Thus the admin of one board cannot use these issues to obtain information concerning another board.

The issue surrounding session_id checking in posting has been covered in public on this forum many times in the past. At one point we implemented checking in posting. We ended up with so many complaints from users who couldn't post because their sessions had expired (even after relevant workarounds had been tried) we removed it. Since then we've had absolutely no reports of problems. We retained session checking in areas like modcp to prevent "spoofing" of moderator functions from 3rd party sites or local links. This entire sequence of events was quite public and openly discussed here.

Thanks.
_________________
Paul S. Owen - Development Team Leader
phpBB 2.2 | Feature Requests | Snapshots | ACP
<---- Support the London 2012 Olympic Bid ---->
"To err is human, to screw up royally requires me!"

I thing phpBB do a pretty good job with security, but I do not for the life of me understand this.

User #1 can put the link to an admin command into an image tag

Admin #1 views the malicious post and unknowingly issues an admin command and deletes the post with the bogus image thus eliminating the evidence.

Sure, the commands you can have an admin execute are limited to the ones that collect thier data values via the GET method, but isn't that still a fairly serius issue? After reading that post, and thier not replying to this email

http://www.gulftech.org/vuln/phpBBEmail.txt

I am beginning to think either they or crazy or I am crazy. lol Nothing personal against them, I love phpBB, but I just do not see the logic. Invision Power Board, PostNuke, and many others REQUIRE session ID's or Auth keys with no problem and as a result are much more secure and do not allow users to trick admins into running commands.

Also, take for example the SQL injection vulnerability. A user cannot exploit this issue himself, but he can trick an admin into running a query just by viewing a malicious post. I just don't get why that is not seen as a big deal?

GulfTech Security Research
SubScan 1.2

Replies:

phpBB 2.0.7a And Earlier Security Issues - Ker JeiAr 2004-03-22 04:23:47
- Some Fixes For These Issues - Ret. Ker JeiAr 2004-03-25 12:11:30
  - sweet man :) - LtKer Semper 2004-03-25 16:48:09
    - RE: sweet man :) - Ret. Ker JeiAr 2004-03-25 19:01:33
- Hmmmm ... - Ker JeiAr 2004-03-23 20:40:47
  - Hah. - Lt Obscurity 2004-03-24 03:17:41
- >Want Some Opinions - Ker JeiAr 2004-03-23 05:18:00 <
  - RE: Want Some Opinions - Lt Obscurity 2004-03-23 07:46:48
    - I'm with you, they are on crack with this one... - Ret. Mar Ikioi 2004-03-23 11:00:34
      - RE: I'm with you, they are on crack with this one... - Ker JeiAr 2004-03-23 17:14:55
      - Development Teams Reply - Lt Obscurity 2004-03-23 14:19:18
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:17:53
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:31:30
        RE: Development Teams Reply - Lt Obscurity 2004-03-23 17:25:16
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:33:40
        RE: Development Teams Reply - Lt Obscurity 2004-03-23 18:15:38
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 19:39:35
        RE: Development Teams Reply - Lt Obscurity 2004-03-24 03:14:15
      - Posted to their forum... - Ret. Mar Ikioi 2004-03-23 11:37:22
        RE: Posted to their forum... - Ker JeiAr 2004-03-23 17:49:48
        Argh if someone could delete the post previous - Lt Obscurity 2004-03-23 11:50:55
        Done :) - Ret. Ker JeiAr 2004-03-24 05:31:16
        Hah thanks... - Lt Obscurity 2004-03-24 06:04:35
    - RE: Want Some Opinions - Ker JeiAr 2004-03-23 08:05:01
      - To be honest... - Lt Obscurity 2004-03-23 08:21:38
        RE: To be honest... - Ker JeiAr 2004-03-23 08:32:53
        RE: To be honest... - Lt Obscurity 2004-03-23 08:40:09
        RE: To be honest... - Ker JeiAr 2004-03-23 08:54:05
        RE: To be honest... - Lt Obscurity 2004-03-23 09:07:57
        'respond' :D -nt- - LtKer Bastian 2004-03-23 11:16:40
        RE: To be honest... - Maj zaydana 2004-03-23 09:25:26
        GPL... just fork it. ;) -nt- - Ret. Mar Ikioi 2004-03-23 11:39:41
        Ikioi [more] - Lt Obscurity 2004-03-24 10:21:14

Guest:
Subject:
Message:	On 2004-03-23 05:18:00, JeiAr wrote >Have you guys seen this? > >www.phpbb.com/phpBB/viewtopic.php?f=14&t=183098 > > >[QUOTE]psoTFX >Development Team Leader > > > >Joined: 03 Jul 2001 >Posts: 8803 >Location: Location? I don't need no stinking location ... > Posted: Mon Mar 22, 2004 1:06 pm Post subject: Recent "multiple vulnerabilities" post to bugtraq > >-------------------------------------------------------------------------------- > >We've already had at least one email concerning this post to bugtraq, "Phpbb 2.0.7a And Earlier Secuity Issues" by "JeiAr <security@gulftech.org>". > >As I made clear in correspondence with this user the issues raised are of very very low priority in mine and others opinions. I'll explain why ... > >The issues noted concerning the admin scripts are effectively of no concern. To be able to take advantage of said vulnerabilities you must be an admin. If you're an admin why would you want to bother jumping through hoops to discover another users password? You could simply go in, set it to whatever you like and tada, off you go. I fail to see why a "shared hosting" environment increases the risks here. A board is tied to a database. I know of no host which gives all users the same database! Thus the admin of one board cannot use these issues to obtain information concerning another board. > >The issue surrounding session_id checking in posting has been covered in public on this forum many times in the past. At one point we implemented checking in posting. We ended up with so many complaints from users who couldn't post because their sessions had expired (even after relevant workarounds had been tried) we removed it. Since then we've had absolutely no reports of problems. We retained session checking in areas like modcp to prevent "spoofing" of moderator functions from 3rd party sites or local links. This entire sequence of events was quite public and openly discussed here. > >Thanks. >_________________ >Paul S. Owen - Development Team Leader >phpBB 2.2 \| Feature Requests \| Snapshots \| ACP ><---- Support the London 2012 Olympic Bid ----> >"To err is human, to screw up royally requires me!" > [/QUOTE] > > >I thing phpBB do a pretty good job with security, but I do not for the life of me understand this. > > > >User #1 can put the link to an admin command into an image tag > >Admin #1 views the malicious post and unknowingly issues an admin command and deletes the post with the bogus image thus eliminating the evidence. > > > > >Sure, the commands you can have an admin execute are limited to the ones that collect thier data values via the GET method, but isn't that still a fairly serius issue? After reading that post, and thier not replying to this email > >[URL=http://www.gulftech.org/vuln/phpBBEmail.txt]http://www.gulftech.org/vuln/phpBBEmail.txt[/URL] > >I am beginning to think either they or crazy or I am crazy. lol Nothing personal against them, I love phpBB, but I just do not see the logic. Invision Power Board, PostNuke, and many others REQUIRE session ID's or Auth keys with no problem and as a result are much more secure and do not allow users to trick admins into running commands. > > >Also, take for example the SQL injection vulnerability. A user cannot exploit this issue himself, but he can trick an admin into running a query just by viewing a malicious post. I just don't get why that is not seen as a big deal?
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.04041 seconds