PhpBB BBCode Processing Vulnerabilities

Source: Internet
Author: User
Tags bbcode functions mysql reference resource
Bugtraq ID 4432, 4434

The problem version:

PhpBB 1.44, lower version and PhpBB 2.0 not tested.


Describe:

phpBB is a widely used forum based on PHP. Finds a reference to the source code class in its BBCode
There is a vulnerability in which a specially formatted escape string can cause corruption of the database and the server's CPU, memory
Resources are consumed heavily.


With:

phpBB the reference to the "source code" class is not handled properly, mainly to support the marking of the set
and caused by. The problematic code is the Bbencode_code function in functions.php.

When we submit a posting like this:





The data that is actually stored in the database is this:

[1code]
\0\0\0\0\0\0\0
[/code1] [1code]
\0\0\0\0\0\0\0
[/code1] [1code]
\0\0\0\0\0\0\0
[/code1] [1code]
\0\0\0\0\0\0\0
[/code1] [1code]
\0\0\0\0\0\0\0
[/code1] [1code]
\0\0\0\0\0\0\0
[/code1] [1code]
\0\0\0\0\0\0\0
[/code1]

That is, the actual system to bear the amount of data is input "" "the number of the square, if you send 1 MByte of data, the system
The actual processing data will be close to 1 tbyte.

This is the resource occupancy when we send a "*800" post on the experimental machine:

PID USER PRI NI SIZE RSS SHARE STAT%cpu%mem time COMMAND
8643 Nobody 0 212M 81M 13604 D 8.0 65.7 0:07 httpd

An error is prompted after submitting the post:

Could not enter post text!

But actually the title of the post and the submitter's two data have been stored in the database, but the content and some other data are not
The error page will appear when you open it. And such posts can not be deleted in the normal way, can only be directly connected to the
Database for deletion. The following are the results of submitting different data volumes:

' * =<583 normal paste, you can delete
' * 584 on normal paste, can be edited, but cannot be deleted
' * 585 hint could not enter post text! But there's no posting.
' * 586 normal paste, you can delete
' * 587 hint could not enter post text! But there's no posting.
' * 588 normal paste, you can delete
' * 589 hint could not enter post text! But there's no posting.
' * >=590 prompts could not enter post text! There are no deleted posts

If you send a set of tags to take up more resources, we send such posts on the experimental machine:

The following is the program code [Code]\0\0[/code]

Although there are only 49Byte of data, the resource footprint is considerable:
PID USER PRI NI SIZE RSS SHARE STAT%cpu%mem time COMMAND
25741 Nobody 0 11828 9996 416 R 99.9 7.8 2:38 httpd

A few seconds later produced a large amount of data, memory consumption:
PID USER PRI NI SIZE RSS SHARE STAT%cpu%mem time COMMAND
3 Root 0 0 0 0 SW 2.5 0.0 4:13 KSWAPD
25742 Nobody 0 265M 90M 52104 R 25.1 73.0 1:45 httpd

Such inserts will not be stored in the database, but with the increase in the nesting of resources will be according to the geometric
Increase. If you send more data at one time, or you send it continuously, you can cause a large amount of system resources to be consumed and eventually refuse the service.

Experimental environment: Linux 2.4.10 apache/1.3.23 PHP 4.12


Solution:

1, temporarily disable BBCode.
2, ALERT7 gives the following modification method of functions.php, temporarily deactivate the support of the set marking:

Change the Bbencode_code function at the beginning of line 773 to:

function Bbencode_code ($message, $is _html_disabled)
{
$message = Preg_replace ("/\[code\]" (. *?) \[\/code\]/si "," <!--bbcode Start--><table border=0 align=center Width=85%><tr><td><font Size=-1>code:</font>return $message;

}//Bbencode_code ()

For posts that cannot be deleted properly, you need to manually connect to the database for deletion. Suppose there is such a post:
Http://host/forums/viewtopic.php?topic=1162&forum=1&0
You can do this:
$ mysql-uuser-ppasswd
mysql> use DatabaseName;
Mysql> SELECT * from topics where topic_id = 1162; Get post_id
Mysql> Delete from posts where post_id = 6280;
Mysql> Delete from posts_text where post_id = 6280;
Mysql> Delete from topics where topic_id = 1162;


About Us:

WSS (Whitecell security Systems), a non-profit nongovernmental technology organization dedicated to a variety of systems
The study of the whole technology. Adhere to the traditional hacker spirit, the pursuit of pure technology.

WSS Home: http://www.whitecell.org/
WSS Forum: http://www.whitecell.org/forum/


Add: Later the test found that quite a lot of BBS have similar problems, including based on PHP, CGI, ASP, I hope everyone to their own forum for testing, if there are problems, refer to this article as appropriate to solve.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.