PhpBBBBcode vulnerability _ PHP Tutorial

Source: Internet
Author: User
Tags bbcode
PhpBBBBcode vulnerability. Release date: vulnerability Category: PHP, remote WEB interface, Dos bugtraqID4432, 4434 problematic version: phpBB1.44, earlier version and phpBB2.0 not tested. Posting Date: 2002-04-3
Vulnerability Category: PHP, remote WEB interface, and DOS

Bugtraq ID 4432, 4434

Problematic version:

PhpBB 1.44, earlier versions and phpBB 2.0 are not tested.


Description:

PhpBB is a widely used PHP-based forum. It is found that references to the "Source Code" class in its BBcode
Vulnerabilities exist. by sending escape strings in special formats, the database may be damaged and the CPU and memory of the server may be damaged.
Resource consumption.


Details:

PhpBB does not properly handle the reference to the "Source Code" class, mainly to support the flag of the set.
. The problematic code is the bbencode_code function in functions. php.

When we submit a post like this:





The actual data stored in the database is as follows:

[1 code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1] [1 code]
\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0
[/Code1]

That is, the actual amount of data to be borne by the system is the square of the number of input "\ 0". if 1 MByte of data is sent, the system
The actual processed data is close to 1 TByte.

This is the resource usage when we send a post containing ''* 800 on the lab machine:

Pid user pri ni size rss share stat % CPU % MEM TIME COMMAND
8643 nobody 13 0 212 M 81 M 13604 D 8.0 0: 07 httpd

An error will be prompted after you submit the post:

Cocould not enter post text!

However, in fact, the title and submitter of the post have been stored in the database, but the content and other data are not
An error page appears. In addition, such a post cannot be deleted using the normal method, and can only be directly connected
To delete the database. The following is the result of submitting different data volumes:

''' * = <583 can be properly pasted and deleted
''' * 584 is pasted normally. it can be edited but cannot be deleted.
''' * 585 prompt cocould not enter post text! But no posts
''' * 586 can be successfully pasted and deleted
''' * 587 prompt cocould not enter post text! But no posts
''' * 588 can be successfully pasted and deleted
''' * 589 prompt cocould not enter post text! But no posts
''' *> = 590 prompt cocould not enter post text! A post cannot be deleted

If the flag is set, more resources will be occupied. we will send this post on the lab machine:

The code is as follows:

[Code] \ 0

\ 0 [/code]

Although only 49Byte of data is available, the resource usage is considerable:
Pid user pri ni size rss share stat % CPU % MEM TIME COMMAND
25741 nobody 14 0 11828 9996 R 416 99.9 httpd

A few seconds later, a large amount of data is generated, and the memory is greatly consumed:
Pid user pri ni size rss share stat % CPU % MEM TIME COMMAND
3 root 10 0 0 0 SW 2.5 0.0 kswapd
25742 nobody 17 0 265 M 90 M 52104 R 25.1 73.0 httpd

This post will not be stored in the database, but will be delivered according to the geometric level as the number of sets increases.
Add. If more data is sent at a time, or the data is sent continuously, the system resources are greatly occupied and the service is rejected.

Tutorial environment: linux 2.4.10 Apache/1.3.23 PHP 4.12


Solution:

1. temporarily disable BBcode.
2. alert7 provides the following modification methods for functions. php to temporarily disable the support for set labeling:

Change the bbencode_code function starting with row 773:

Function bbencode_code ($ message, $ is_html_disabled)
{
$ Message = preg_replace ("/\ [code \] (. *?) \ [\/Code \]/si ","
Code:
\\1
", $ Message );
Return $ message;

} // Bbencode_code ()

For posts that cannot be deleted normally, you need to manually connect to the database to delete the posts. Suppose there is a post:
Http: // host/forums/viewtopic. php? Topic = 1162 & forum = 1 & 0
You can do this:
$ Mysql-uuser-ppasswd
Mysql> use databasename;
Mysql> select * from topics where topic_id = 1162; // get post_id
Mysql & gt; delete from posts where post_id = 6280;
Mysql> delete from posts_text where post_id = 6280;
Mysql> delete from topics where topic_id = 1162;


About us:

WSS (Whitecell Security Systems), a non-profit civil technology organization dedicated to various system Security
Comprehensive technology research. Stick to the traditional hacker spirit and pursue the pure technology.

WSS home: http://www.whitecell.org/
WSS Forum: http://www.whitecell.org/forum/


Supplement: later tests showed that many BBS users had similar problems, including php, cgi, and asp. I hope you can test your own forum, follow the instructions in this article.

Vulnerability Category: PHP, remote WEB interface, Dos bugtraq ID 4432, 4434 problematic versions: phpBB 1.44, earlier versions and phpBB 2.0 not tested. Description...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.