NYCPHP Meetup

[nycphp-talk] php bulletin boards

Jason N.Perkins jperkins at sneer.org
Mon Jan 3 21:04:49 EST 2005


On Jan 3, 2005, at 4:58 PM, Steve Manes wrote:

> Yury Rush wrote:
>> Hi -- there was an exploit a few weeks ago that affected phpBB  
>> boards..
>> thousands were hacked via a worm that found phpBB sites using google's
>> search..
>
> That exploit is actually a bug in PHP's unserialize(), not PHPBB.
>
> There are several exploits in 4.3.9 and 5.0.2:
>
> http://national.auscert.org.au/render.html?it=4636

The Sanity phpBB worm used the phpBB Highlight Vulnerability which has  
nothing to do with the unserialize vulnerability. As (only) Derick  
Rethans could put it:

"Everybody who thinks that the Santy.A worm uses one of the security  
problems addressed in PHP's latest bugfix releases is wrong. It was NOT  
due to any bug in PHP, but merely a badly checked input variable which  
was passed to preg with the /e modifier. Besides this, phpBB is also  
vulnarable for some of the things  address by PHP's new releases. But  
they are wrong saying that it is not their fault. Not-checked usage of   
serialized data is still their problem. Short version: use FUDforum."

Original link:  
<http://www.derickrethans.nl/month-2004-12.php? 
item=200412241207#200412241207>

More info at:

<http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513>
<http://www.hardened-php.net/news.php>
<http://www.powertrip.co.za/blog/archives/000305.html>

This isn't to chastise Steve - phpBB rushed with the story that it  
wasn't there fault.




--
Jason N Perkins
<http://sneer.org/>




More information about the talk mailing list