PhpBB bbcode Vulnerability

Released on: 2002-04-3
Vulnerability category: PHP, remote web interface, and DoS

BugTraq ID 4432, 4434

Problematic version:

PhpBB 1.44, earlier versions and phpBB 2.0 are not tested.

Description:

PhpBB is a widely used PHP-based forum. In its bbcode,Source code"Class reference
Vulnerabilities exist. By sending escape strings in special formats, the database may be damaged and the CPU and memory of the server may be damaged.
Resource consumption.

Details:

PhpBB isCodeImproper handling of class references, mainly to support labeling
. The problematic code is the bbencode_code function in functions. php.

When we submit a post like this:

The actual data stored in the database is as follows:

[1 Code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 Code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 Code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 Code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 Code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 Code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 Code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1]

That is, the actual amount of data to be borne by the system is the square of the number of input "\ 0". If 1 Mbyte of data is sent, the system
The actual processed data is close to 1 tbyte.

This is the resource usage when we send a post containing ''* 800 on the lab machine:

PID user pri Ni size RSS share stat % CPU % mem Time Command
8643 nobody 13 0 212 M 81 m 13604 D 8.0 0: 07 httpd

An error will be prompted after you submit the post:

Cocould not enter post text!

However, in fact, the title and submitter of the post have been stored in the database, but the content and other data are not
An error page appears. In addition, such a post cannot be deleted using the normal method, and can only be directly connected
To delete the database. The following is the result of submitting different data volumes:

''' * = <583 can be properly pasted and deleted
''' * 584 is pasted normally. It can be edited but cannot be deleted.
''' * 585 prompt cocould not enter post text! But no posts
''' * 586 can be successfully pasted and deleted
''' * 587 prompt cocould not enter post text! But no posts
''' * 588 can be successfully pasted and deleted
''' * 589 prompt cocould not enter post text! But no posts
''' *> = 590 prompt cocould not enter post text! A post cannot be deleted

If the flag is set, more resources will be occupied. We will send this post on the lab machine:

Copy code The Code is as follows: [Code] \ 0

\ 0 [/Code]

Although only 49byte of data is available, the resource usage is considerable:
PID user pri Ni size RSS share stat % CPU % mem Time Command
25741 nobody 14 0 11828 9996 R 416 99.9 httpd

A few seconds later, a large amount of data is generated, and the memory is greatly consumed:
PID user pri Ni size RSS share stat % CPU % mem Time Command
3 root 10 0 0 0 SW 2.5 0.0 kswapd
25742 Nobody 17 0 265 m 90 m 52104 R 25.1 73.0 httpd

This post will not be stored in the database, but will be delivered according to the geometric level as the number of sets increases.
Add. If more data is sent at a time, or the data is sent continuously, the system resources are greatly occupied and the service is rejected.

Tutorial environment: Linux 2.4.10 Apache/1.3.23 PHP 4.12

Solution:

1. temporarily disable bbcode.
2. alert7 provides the following modification methods for functions. php to temporarily disable the support for set labeling:

Change the bbencode_code function starting with row 773:

Function bbencode_code ($ message, $ is_html_disabled)
{
$ Message = preg_replace ("/\ [Code \] (. *?) \ [\/Code \]/Si "," <! -- Bbcode start --> <Table border = 0 align = center width = 85%> <tr> <TD> <font size =-1> code: </font> <HR> </TD> </tr> <TD> <font size =-1> <PRE >\\ 1 </PRE> </ font> </TD> </tr> <TD> <HR> </TD> </tr> </table> <! -- Bbcode end --> ", $ message );
Return $ message;

} // Bbencode_code ()

For posts that cannot be deleted normally, you need to manually connect to the database to delete the posts. Suppose there is a post:
Http: // host/forums/Viewtopic. php? Topic = 1162 & Forum = 1 & 0
You can do this:
$ Mysql-uuser-ppasswd
Mysql> Use databasename;
Mysql> select * from topics where topic_id = 1162; // get post_id
MySQL & gt; delete from posts where post_id = 6280;
Mysql> Delete from posts_text where post_id = 6280;
Mysql> Delete from topics where topic_id = 1162;

About us:

WSS (whitecell security systems), a non-profit civil technology organization dedicated to various system security
Comprehensive technology research. Stick to the traditional hacker spirit and pursue the pure technology.

WSS home: http://www.whitecell.org/
WSS Forum: http://www.whitecell.org/forum/

Supplement: later tests showed that many BBS users had similar problems, including PHP, CGI, and ASP. I hope you can test your own forum, follow the instructions in this article.