Vulnerabilities handled by phpBB BBcode_PHP Tutorial

Release date: 2002-04-3
Vulnerability category: PHP, remote WEB interface, denial of service

bugtraq ID 4432, 4434

Problematic version:

phpBB 1.44, lower versions and phpBB 2.0 have not been tested.


Description:

phpBB is a widely used forum based on PHP. It was found that there is a vulnerability in the reference processing
of the "source code" class in its BBcode. By sending an escape string in a special format, it can cause damage to the database and a large consumption of the server's CPU and memory
resources.


Details:

phpBB improperly handles references to the "source code" class, mainly to support nested tags
. The code in question is the bbencode_code function in functions.php.

When we submit a post like this:





The actual data stored in the database is like this:

[ 1code]
[/code]

Although there is only 49Byte of data, the resource usage is very considerable:
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
25741 nobody 14 0 11828 9996 416 R 99.9 7.8 2:38 httpd

A large amount of data is generated after a few seconds, and a large amount of memory is consumed:
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
3 root 10 0 0 0 0 SW 2.5 0.0 4:13 kswapd
25742 nobody 17 0 265M 90M 52104 R 25.1 73.0 1:45 httpd

Such nested posts will not be stored in the database Yes, but with As the nesting increases, the resource usage will increase according to a geometric progression. If you send more data at once, or send it continuously, it can cause a large amount of system resources to be occupied, and ultimately deny service.

Experimental environment: linux 2.4.10 Apache/1.3.23 PHP 4.12


Solution:

1. Temporarily disable BBcode.
2. alert7 gave the following modification method to functions.php to temporarily disable support for nested tags:

Change the bbencode_code function starting at line 773 to:

function bbencode_code($message, $is_html_disabled)
{
$message = preg_replace("/[code](.*?)[/code]/si", "

TR>

Code:

---

\1

", $message);
return $message;

} // bbencode_code()

For posts that cannot be deleted normally, you need to manually connect to the database to delete them. Suppose there is such a post:
http://host/forums/viewtopic.php?topic=1162&forum=1&0
It can be like this:
$ mysql -user -ppasswd
mysql> use databasename;
mysql> select * from topics where topic_id = 1162; //get post_id
mysql> delete from posts where post_id = 6280;
mysql> delete from posts_text where post_id = 6280;
mysql> delete from topics where topic_id = 1162;


About us:

WSS (Whitecell Security Systems), a non-profit private technology organization dedicated to various system security
technologies research. Adhere to the traditional hacker spirit and pursue the purity of technology.

WSS home page: http://www.whitecell.org/
WSS forum: http://www.whitecell.org/forum/


Additional: Later The test found that quite a few BBSs have similar problems, including those based on PHP, CGI, and ASP. I hope everyone can test their own forums. If there are any problems, refer to this article to solve them as appropriate.

http://www.bkjia.com/PHPjc/314380.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/314380.htmlTechArticleRelease date: 2002-04-3 Vulnerability category: PHP, remote WEB interface, denial of service bugtraq ID 4432, 4434 Problematic versions: phpBB 1.44, lower versions and phpBB 2.0 not tested. Draw...