sweet man :) [View] [Reply] [Top] Posted by LtKer Semper On 2004-03-25 16:48:09

I've kept up with this issue here and on the phpbb forums and still don't see why their dev team doesn't just say "We understand the issues and will release fixes for them as soon as we find time to work on them." or something to that deminer. Some of the dev team seems totally hostile towards the issue and some of the others seem totally resistant to even wanting to fix the problem properly. IMHO I think they are resistant to the session_id implementation because they don't know how to implement them properly. I dunno though. :) Good job on your findings though. :) On 2004-03-25 12:11:30, JeiAr wrote >Well, I think i got most things secured on the GulfTech Forums with the exception of the ACP issues which is gonna require a good bit of work as there is NO session checking implemented there so it seems, and just transferring the modcp session auth over doesn't seem to wok sooooo > > >Anyway, here ya go :) > >http://www.gulftech.org/vuln/phpBBadminFix.rar >http://www.gulftech.org/vuln/phpBBpostDeletion.rar >http://www.gulftech.org/vuln/phpBBlogoutFix.rar >

RE: sweet man :) [View] [Reply] [Top] Posted by Ret. Ker JeiAr On 2004-03-25 19:01:33 lol. I agree about the session auth thing. phpBB 2.0.8 was released today, but my exploit code still works as they only changed [img] tags to be a valid extension *rolls eyes*

Hah. [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-24 03:17:41

I love it. I don't understand why they don't accept third party patches, or at least look over them and take proof concepts from third parties. I think, if they won't provide a patch, you should provide the patch. I know your request to BugTraq added in the SQL Injection and XSS patches, maybe when CPC get's around to it, or possibley when the new 'Mission Proposals' come out, you can advertise that out.

psoTFX
Development Team Leader



Joined: 03 Jul 2001
Posts: 8803
Location: Location? I don't need no stinking location ...
Posted: Mon Mar 22, 2004 1:06 pm Post subject: Recent "multiple vulnerabilities" post to bugtraq

--------------------------------------------------------------------------------

We've already had at least one email concerning this post to bugtraq, "Phpbb 2.0.7a And Earlier Secuity Issues" by "JeiAr <security@gulftech.org>".

As I made clear in correspondence with this user the issues raised are of very very low priority in mine and others opinions. I'll explain why ...

The issues noted concerning the admin scripts are effectively of no concern. To be able to take advantage of said vulnerabilities you must be an admin. If you're an admin why would you want to bother jumping through hoops to discover another users password? You could simply go in, set it to whatever you like and tada, off you go. I fail to see why a "shared hosting" environment increases the risks here. A board is tied to a database. I know of no host which gives all users the same database! Thus the admin of one board cannot use these issues to obtain information concerning another board.

The issue surrounding session_id checking in posting has been covered in public on this forum many times in the past. At one point we implemented checking in posting. We ended up with so many complaints from users who couldn't post because their sessions had expired (even after relevant workarounds had been tried) we removed it. Since then we've had absolutely no reports of problems. We retained session checking in areas like modcp to prevent "spoofing" of moderator functions from 3rd party sites or local links. This entire sequence of events was quite public and openly discussed here.

Thanks.
_________________
Paul S. Owen - Development Team Leader
phpBB 2.2 | Feature Requests | Snapshots | ACP
<---- Support the London 2012 Olympic Bid ---->
"To err is human, to screw up royally requires me!"

RE: Want Some Opinions [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-23 07:46:48

On the note of only admins can access the database... I know many many forums, from PHPBB to VBulletin that have multiple admin users. In which each level an admin has restricted oppurtunity towards certain data. For example, Admin Level 1 can only Ban, SuperBan, and Delete topics. Admin Level 2 can do everything Level 1 can, plus Create/Delete forums, edit info excluding passwords and send out 'forum-wide' messages via email or PM. Admin Level 3 has complete control, and is effectively known as Root. So I see a huge problem with that logic.

I'm with you, they are on crack with this one... [View] [Reply] [Top] Posted by Ret. Mar Ikioi On 2004-03-23 11:00:34 Regardless of what they think the risk is, security is about minimalization of risk. Any hole should be top priority where security is concerned. User session ID's expiring... are they actually serious? Increase the time limit then. Session IDs are NOT brain surgery. Frankly, I've trusted phpBB because of quick response to security holes, but that reply makes me question their current direction seriously. As for shared hosting, please be kind enough to inform them that variants of phpBB db's are included with many other systems, like Postnuke. To exploit phpBB's system, is to them give accesses to other areas outside the phpBB system, making it a doorway hack. Further, shared phpBB db's are not uncommon. If an site owner only has one SQL db, but runs forums for subdomains, obviously, they will share that one db, and would have multiple admins for multiple levels with multiple abilities on multiple boards. Very low priority. Someone needs to tell the phpBB team that regardless of features, an insecure board is worthless board, regardless of features... which is why phpBB has been a viable alternative to Invision. Invision has more features, but phpBB's response to bugs/holes has been really great. At least, up to this point. Some points: "If you're an admin why would you want to bother jumping through hoops to discover another users password? " Someone tell this genius (sarcasm) that people sometimes share passwords with their e-mail, other sites, etc. "I fail to see why a 'shared hosting' environment increases the risks here. ... I know of no host which gives all users the same database!" This guy must live in la-la land where everyone hosts with an unlimitted SQL provider, and all admins are root. Tell him to chat with me, a hosting provider, and I'll inform him of a little something I like to call... reality. "To err is human, to screw up royally requires me!" Yep, partner, you got that right. That reply tantemount to the *nux community telling server owners, "Yeah, there is an exploit in chroot, but only if root executes it, so it's low priority." (Well, cause if cron runs as root, and they execute chroot statements for other user sites, then you have a big clusterf#$%!). *nix community wouldn't give some crap response like that, and users wouldn't stand for it. So, yes, third party patchs are certainly welcomed, at least, by phpBB users. If anyone considers any security hole is "very very low priority", then they are not the person to be leading any discussion of security development in any product. They are apt to fit in well on some other project... like the next version of Windows. ;)   RE: I'm with you, they are on crack with this one... [View] [Reply] [Top] Posted by Ker JeiAr On 2004-03-23 17:14:55 On 2004-03-23 11:00:34, Ikioi wrote >Regardless of what they think the risk is, security is about minimalization of risk. Any hole should be top priority where security is concerned. User session ID's expiring... are they actually serious? Increase the time limit then. Session IDs are NOT brain surgery. > I agree, Invision Power Board Postnuke. Both of those for example would not allow this type of activity. They say that they protected all of the "important files" yet the entire admin control panel that relies on the GET method is open to attack. Actually, you could exploit post method stuff also if done via a 3rd part site I believe. >Frankly, I've trusted phpBB because of quick response to security holes, but that reply makes me question their current direction seriously. > Same here man, I was really disappointed and felt like they were trying to make me feel foolish for even bringing these issues up :-\ >As for shared hosting, please be kind enough to inform them that variants of phpBB db's are included with many other systems, like Postnuke. To exploit phpBB's system, is to them give accesses to other areas outside the phpBB system, making it a doorway hack. > >Further, shared phpBB db's are not uncommon. If an site owner only has one SQL db, but runs forums for subdomains, obviously, they will share that one db, and would have multiple admins for multiple levels with multiple abilities on multiple boards. > This is the case with gulftech.org I have forums.gulftech.org and I set friends up with forums that share a db. With the right permissions and not having ftp access this is not really a big security threat for my site. Well, it wasn't until now :-\ >Very low priority. Someone needs to tell the phpBB team that regardless of features, an insecure board is worthless board, regardless of features... which is why phpBB has been a viable alternative to Invision. Invision has more features, but phpBB's response to bugs/holes has been really great. At least, up to this point. > > >Some points: > >"If you're an admin why would you want to bother jumping through hoops to discover another users password? " > What he said was that why would an admin want to find out a users pass when they could just change it to whatevere they want? ummmm ... okkkaaaaayyyy :-\ >Someone tell this genius (sarcasm) that people sometimes share passwords with their e-mail, other sites, etc. > >"I fail to see why a 'shared hosting' environment increases the risks here. ... I know of no host which gives all users the same database!" > >This guy must live in la-la land where everyone hosts with an unlimitted SQL provider, and all admins are root. Tell him to chat with me, a hosting provider, and I'll inform him of a little something I like to call... reality. > >"To err is human, to screw up royally requires me!" > >Yep, partner, you got that right. > >That reply tantemount to the *nux community telling server owners, "Yeah, there is an exploit in chroot, but only if root executes it, so it's low priority." (Well, cause if cron runs as root, and they execute chroot statements for other user sites, then you have a big clusterf#$%!). *nix community wouldn't give some crap response like that, and users wouldn't stand for it. > >So, yes, third party patchs are certainly welcomed, at least, by phpBB users. If anyone considers any security hole is "very very low priority", then they are not the person to be leading any discussion of security development in any product. They are apt to fit in well on some other project... like the next version of Windows. ;)   Development Teams Reply [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-23 14:19:18 I think I've explained the situation as well as I can. The risks noted are being overblown IMHO. I'm well aware of the potential in shared hosting environments and I explained why the risk there (should) be very low. I cannot control how hosting providers allow users to share information which frankly shouldn't be shared. Nor can I control how hosting providers may or may not manage their shared environments in an appropriate manner (a fundamental issue of security on their part). These two issues are therefore, IMO of low priority. We don't ignore these problems, hence the announcement and explanation. I should add that I did not give permission for the original reporter to disclose my email conversations with him ... I could have persued that if I'd wished. However I decided it may help explain the situation and thus let it go. The issues raised will more than likely be addressed in a future release. However as I've noted at this time the risk attributable to them is low. _________________ Paul S. Owen - Development Team Leader   RE: Development Teams Reply [View] [Reply] [Top] Posted by Ker JeiAr On 2004-03-23 17:17:53 "I should add that I did not give permission for the original reporter to disclose my email conversations with him ... I could have persued that if I'd wished. However I decided it may help explain the situation and thus let it go." Holy hell man, is this guy for real?   RE: Development Teams Reply [View] [Reply] [Top] Posted by Ker JeiAr On 2004-03-23 17:31:30 I just sent Paul this. I wonder what he will say. Hi Paul, I just read this. I should add that I did not give permission for the original reporter to disclose my email conversations with him ... I could have persued that if I'd wished. However I decided it may help explain the situation and thus let it go. If you did not like me posting your email why not tell ME instead of saying something about it to people who were not even involved in the correspondance on your forum? > I don't mean this to sound like we don't want to do anything, it's just that there is no great need to in 2.0. So please, > should you chose to release anything detailing "security problems" please be sure to emphasise the underlying issue as to > why they are of very little concern. --------------- I will release details of this email and try and show things from all points of view. I just want to help people, not frighten them or make them think phpBB is insecure. After all we use phpBB for the GulfTech forums ;) --------------- This was the EXACT same thing I sent to you. You knew I was gonna release the email, why didn't you ask "JeiAr, can I give you a official response to post instead of the email?" I would have glady done that instead. I have always been a fan of phpBB, and I have given advance warning on vulns I have found because I like users to be safe, and I like helping the Open Source community. But I would be lying if I said that I wasn't a little dissapointed over the handling of this issue. Fine, you have your mind made up and some users agree? Okay, thats the way it is, and I will write my own patch. But I have been nothing but professional and curteous to you and you should realize if you have a problem with me (the releasing of your email) then tell me about it. I am an adult, and not a jerk. If you want your email removed all you had to do was ask ME. If you would like I can replace it with your response on the announcment forums. Best Regards, James   RE: Development Teams Reply [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-23 17:25:16 Who knows, though I think it's funny that they brush off vulnerabilities like they were dust on the shoulder. Another post on there made by a user was like "I'd rather have PHPbb x.x version out rather then start working on security issues that don't really pose 'that much' of a problem". I think it's funny that because people don't have the right funds to be able to support multiple databases so they get sidetracked. Yay for personal and business integrity.   RE: Development Teams Reply [View] [Reply] [Top] Posted by Ker JeiAr On 2004-03-23 17:33:40 I think I am gonna release my own phpBB port called phpBBsecure This might be a good project for CA. What do you guys think?   RE: Development Teams Reply [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-23 18:15:38 Sounds like a pretty cool project, yay for open source software. Wouldn't have to deal with PhpBB, and by the way you're finding XSS/SqlInjection vulnerabilities, you'll have most of them rapped up by 1.x releases :P~   RE: Development Teams Reply [View] [Reply] [Top] Posted by Ker JeiAr On 2004-03-23 19:39:35 Here is a post I am gonna send to BugTraq to show how dangerous this issue is and how it NEEDS to be fixed. Since the phpBB team do not seem to think the issues I found as outlined here are serious issues. http://www.gulftech.org/03202004.php I have decided to release some proof of concept exploit examples. The ones of you who know me are probably familiar with the fact GulfTech keeps exploit code and the like private in almost all cases and only shares it with known security researchers, but I feel this is the only way to make misinformed people believers. It's unfortunate, but I will limit the examples to deleting posts and not performing admin actions as my purpose is to not have anyone do any real harm to someones forum. http://www.gulftech.org/vuln/phpBBpoc/ There has also been a thread started about this issue on the CA Security forum. http://www.cyberarmy.net/forum/security/messages/203396.html If anyone wants to give thier opinion we would love to hear it as long as it is appropriate and not a flame or something unnecessary. We only want civilized discussion about this issue and a proposed fix :) Best Regards, JeiAr GulfTech Security Research   RE: Development Teams Reply [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-24 03:14:15 Damn good job JeiAr. Mallicous methods within the image tags equals disaster on certain concepts. I'm gonna add in your fixes to my pphBB forum.   Posted to their forum... [View] [Reply] [Top] Posted by Ret. Mar Ikioi On 2004-03-23 11:37:22 Dunno if it will stay up (they seem to have no forum for bugs, but oh well): I would like to reply to an announcement, and this seems the most fitting forum. If it is not, please move my post to the correct one. In reply to http://www.phpbb.com/phpBB/viewtopic.php?t=183098 : "If you're an admin why would you want to bother jumping through hoops to discover another users password? " People sometimes share passwords with their e-mail, other sites, etc. Sure, there are other methods to get another users password, if you have access to modify site files, but this is outside the bounds of phpBB, and would include more trusted individuals. Shared passwords is a bad habit, but one that exists, none the less. Remember, not all forum admins are the same people that are the site admins. "I fail to see why a 'shared hosting' environment increases the risks here. ... I know of no host which gives all users the same database!" I am a hosting provider, and I can give you as many examples in which this is true, if you would like. People incorporate phpBB into other software, and share DB's for many reasons. Main site with only one SQL db, that runs forums for subdomains; Incorporating phpBB into a CMS, like Postnuke; etc. I host many sites that use these examples, this is not a hypothetical situation. Shared hosting environment increases the risk for many reasons, the chief being that shared hosts work with limitted resources, thus, are more prone to make the best use of them through sharing. The other thing I would like to point out is that no security flaw should be very very low priority. As I understand it, a fix is already available at http://www.gulftech.org/vuln/phpBBadminFix.rar , so priority need only be to incorporate the already available fix, correct? Where risk can be lowered, it should be lowered. I have seen a proof of concept of this exploit, and in a shared environment, it could be very hazardous. Thank you, and feel free to e-mail me as a hosting provider, if you wish more information about situations of SQL usage in a shared hosting environment that you may not be familiar with that could increase security risks to exploits such as the one mentioned.   RE: Posted to their forum... [View] [Reply] [Top] Posted by Ker JeiAr On 2004-03-23 17:49:48 I just replied to that post. Who knows if they are gonna edit or delete my post, but here is the url, and the quoted post. http://www.phpbb.com/phpBB/viewtopic.php?p=1019173 Well, here is the issue. I was told that the important files were protected via session ID's But none of the admin files are. I think being able to place any admin command in an image tag that relies on it's values from GET, and having it execute as soon as an admin views it is a fairly substantial risk. The having an admin exeute SQL queries requires certain circumstances, but is also possible when placed in an img tag. Also, I could very well place an image tag in this post that would delete even the latest announcment released in the announcment form. Obviously I am not gonna do that as it would be a very uncool thing to do, but I just say that to give an example, ya know? Also, if security in the ACP is not an issue then why is ANY input validation done? It would have saved you guys a load of time to just make it work instead of making it somewhat secure if you really believe security in the ACP is moot. I am not here to argue with anyone, and I am not here as a security researcher. I am here as a long time phpBB user who has genuine concerns regarding the security of my forum. Thats all. I know that other users see the risk and feel the same way I do also. I do not want this to turn into a debate or a hostile conversation, that helps nothing. I just want to find a solution that makes users who realize the security risk such as myself happy, and feel secure. Best Regards, JeiAr   Argh if someone could delete the post previous [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-23 11:50:55 Accidently hit the Enter key when reaching for Shift. Anyway, yeah that's awesome Ikioi, I think it's funny at the least. Luck has it, it will probably be deleted... Method of Security by Obscurity :P   Done :) [View] [Reply] [Top] Posted by Ret. Ker JeiAr On 2004-03-24 05:31:16 I forgot I had mod status ;)   Hah thanks... [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-24 06:04:35 I feel retarded when I do things like that ~.~   RE: Want Some Opinions [View] [Reply] [Top] Posted by Ker JeiAr On 2004-03-23 08:05:01 You are in my opinion absolutely right. but there is a bigger more serious issue. 1) There is a SQL Injection vuln in an admin module. Attacker #1 wants to take over the site but does not have admin access to exploit this vuln. 2) attacker #1 crafts a uri to exolit the issue and grant himself admin acess. 3) since attacker #1 does not have admin access he relies on phpBB's lack of session ID's to make a post that looks something like this ----------------------- ----------------------- 4) Now the attacker has done two things. Successfully executed a command or query just like he was an admin, and had the admin/mod delete his initial post just by viewing it thus eliminating the evidence. I think if you see how flawed phpBB's logic of this situation is then email them and/or post on thier forum telling them you wanta SECURE php installation :)   To be honest... [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-23 08:21:38 You're logic is FAR from flawed, and it's completely viable. I've seen Security Patches punched out for far less then that. And again, to be honest, I think of it as a rather 'script-kiddie' exploit (no offense, see my explenation after this). I see it as this: A script kiddie can go to Security Focus, read one of their SQL Injection articles on Blind-Side Injection, read Sam's SQL in 10 minutes guide, figure out what the table names are. Then bam, he posts his specially crafted query, and you have a huge mess of a compromise. So essentially you have a rather heavy vulnerability, and possible compromise of the entire database. Damn... You should E-Picket their PHPbb's E-Front Doors :) But seriously, how hard is it going to be to convince them?   RE: To be honest... [View] [Reply] [Top] Posted by Ker JeiAr On 2004-03-23 08:32:53 I don't think they understand exactly what I mean. For example. "The issues noted concerning the admin scripts are effectively of no concern. To be able to take advantage of said vulnerabilities you must be an admin. If you're an admin why would you want to bother jumping through hoops to discover another users password? You could simply go in, set it to whatever you like and tada, off you go" See, why the hell would you as an admin change a users pass just to log in as said user? The reason you would want the has is because people are notorious for using the same passwords in more than one place. And you are right about my findings being very script kiddie in nature. I mean, all someone wanting to exploit the issue has to do is craft a url and stick it in an [ img ] tag. I dunno what phpBB's deal with this issue is, but to be honest it is making me think twice about whether or not I will contact them again in the future regarding vulns. They always make it a point to say how much people need to contact them regarding vulns before going public, but when they act like you are just over reacting to what I know are very serious it makes you have doubts. They say in regards to the session id/command exec vuln the following "Since then we've had absolutely no reports of problems. We retained session checking in areas like modcp to prevent "spoofing" of moderator functions from 3rd party sites or local links." Yet the only limits to get an admin (pfft @ a mod) to execute commands unknowingly is to pick a command which gets it's values via the GET method. I just don't know man, if ready response were still around I would propose a mission to make phpBB see the seriousness of these issues. if you go to gulftech.org/forums you will see I pulled my phpBB forum offline after my findings. I would not have did this if I did not consider the issue serious. :-\   RE: To be honest... [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-23 08:40:09 Well, you can always ask CPC to help you out on it. They have their little Privacy Issues/Threats brigades that propose certain missions. Who knows maybe they'll take over what used to be the missions that RR did. But I shall check out GulfTech.org looks like an interesting place :) But if you'd like to chat about it some more, Im always open ears. I'm usually in one of the channels below, and #OSI. Btw, I wasn't meaning you were being a script kiddie, I was just saying that the risk is rather serious due to the ability for a script kiddie to act upon it, sorry if there was a mix up :)   RE: To be honest... [View] [Reply] [Top] Posted by Ker JeiAr On 2004-03-23 08:54:05 On 2004-03-23 08:40:09, Obscurity wrote >Well, you can always ask CPC to help you out on it. They have their little Privacy Issues/Threats brigades that propose certain missions. Who knows maybe they'll take over what used to be the missions that RR did. But I shall check out GulfTech.org looks like an interesting place :) Cool, Gulftech.org is my own little place on the web for all my security research :) I refer to gulftech as "we" alot of times in BugTraq postings etc, but it is just me. heheh My girlfriend helps with paperwork, but not tech stuff. And that would be awesome if CPC helped bring some sense to this issue as it is a serious issue that is being passed of as a non-issue :-\ > >But if you'd like to chat about it some more, Im always open ears. I'm usually in one of the channels below, and #OSI. > >Btw, I wasn't meaning you were being a script kiddie, I was just saying that the risk is rather serious due to the ability for a script kiddie to act upon it, sorry if there was a mix up :) I know man, and thats whats so bad about it, not only is it serious, but VERY easy to execute :-\   RE: To be honest... [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-23 09:07:57 Just made it of notice towards CPC, I suppose we'll see if they respond. :) Btw, if you need any help with Gulftech give me a ring, I'd be happy to help, if need be.   'respond' :D -nt- [View] [Reply] [Top] Posted by LtKer Bastian On 2004-03-23 11:16:40   RE: To be honest... [View] [Reply] [Top] Posted by Maj zaydana On 2004-03-23 09:25:26 Hey peeps. Hmm, i am wondering if they accept patches from other peepz? Cos that could be an idea for the CPC coding division (SP) - we could possibly to a patch and send it in. That is at least fixing the problem... but do you know if they are likely to accept a third-party patch or not? - zaydana   GPL... just fork it. ;) -nt- [View] [Reply] [Top] Posted by Ret. Mar Ikioi On 2004-03-23 11:39:41   Ikioi [more] [View] [Reply] [Top] Posted by Lt Obscurity On 2004-03-24 10:21:14 I was reading the never ending rebutiles of the PHPBB Team, that continues to require more users to 'do this, and that' rather then fix the certain problem. What kind of affect would this have on you, and your business? Would you be going to a different Bulletin Board System, if PHPBB continues to act this way towards security issues? Btw, loved the Jello thing, I bet he feels ingenius ;)