Question about the PHPBB unserialize exploit/hack

Problems with forum installation, administration, moderation and other phpBB related support.

Moderator: Moderators

Question about the PHPBB unserialize exploit/hack

Postby venky7 on Wed Dec 27, 2006 9:49 am

Folks... please forgive me for asking what might be construed as a dumb question

I help to run a forum that runs on phpBB 2.0.4. But we have made many many changes to it over the years and are reluctant to migrate and reinvent the wheel as far as our changes are concerned. Yes, i know, we deserve to be shot.

Anyway, a question regarding the exploits mentioned at viewtopic.php?t=1904 and viewtopic.php?p=10173

A simple alternative would be to disable the set and get cookies in includes/sessions.php . Of course, this would also mean that the "automatic login" which depends on the cookies will not work, but otherwise this is pretty foolproof as far as the unserialize exploit is concerned, isn't it?

Please correct me if i am wrong.

Thanks and regards


Venky
venky7
Registered User
Registered User
 
Posts: 2
Joined: Wed Dec 27, 2006 9:35 am

Postby UseLess on Wed Dec 27, 2006 10:58 am

Greetings,

If your using version 2.0.4 of phpBB then you have more to worry about than the problem you mention. Someone could make themselves an admin and remove all other admins/mods, they could delete the database or parts of it etc etc etc

You should apply the code changes to the phpBB files, the code changes can be got here: http://www.phpbb.com/phpBB/catdb.php?cat=48 although I don't see the code changes for 2.0.4 to 2.0.5
Movie Quote:
It's not the years honey, it's the mileage...

I do not provide any install services for phpBB, Mods or Styles.
Please do not pm me for support/scripting help - you won't get any reply. If you have a question then make a post in the appropriate forum.
User avatar
UseLess
Registered User
Registered User
 
Posts: 6220
Joined: Mon Sep 27, 2004 2:14 am
Location: North East, UK

Postby venky7 on Wed Dec 27, 2006 11:21 am

[quote user="UseLess" post="85955"]Greetings,

If your using version 2.0.4 of phpBB then you have more to worry about than the problem you mention. Someone could make themselves an admin and remove all other admins/mods, they could delete the database or parts of it etc etc etc

You should apply the code changes to the phpBB files, the code changes can be got here: http://www.phpbb.com/phpBB/catdb.php?cat=48 although I don't see the code changes for 2.0.4 to 2.0.5[/quote]

Thank you Useless (nice username, although it is somewhat of an oxymoron, going by your past posts/replies :lol: )

Ideas on how someone could make themselves as admin could help so that i could try to fix the unserialize or other possible exploits.

Regards

Venky
venky7
Registered User
Registered User
 
Posts: 2
Joined: Wed Dec 27, 2006 9:35 am

Postby UseLess on Wed Dec 27, 2006 11:48 am

Greetings,

You'd need to look at the code changes as some of the exploits were not fixed until later versions of phpBB. But basically anything got from a form or to be placed in the db needs to be sanitised before it's placed or used where it's intended to be.

This should help... http://www.phpbb.com/phpBB/viewtopic.php?t=218443

And the code changes will allow you to update phpBB as the changes contain instructions for the updates for modified forums. The only downside is your going to have to go through;

- 2.0.4 to 2.0.5
- 2.0.5 to 2.0.6
- 2.0.6 to 2.0.7
- 2.0.7 to 2.0.8

etc until you get to;

- 2.0.21 to 2.0.22

If you do decide to go this route then don't forget to run, if applicable, the file 'install/update_to_latest.php' to update the db schema and the phpBB version number.

The other choice you have is to start with a fresh install of 2.0.22 and then install all the mods you have on your current forum, you could also take the oppourtunity to use later/updated versions of the mods.

But either way you need to be using phpBB 2.0.22 at least.
Movie Quote:
It's not the years honey, it's the mileage...

I do not provide any install services for phpBB, Mods or Styles.
Please do not pm me for support/scripting help - you won't get any reply. If you have a question then make a post in the appropriate forum.
User avatar
UseLess
Registered User
Registered User
 
Posts: 6220
Joined: Mon Sep 27, 2004 2:14 am
Location: North East, UK

Postby Synaptic Anarchy on Wed Dec 27, 2006 2:45 pm

[quote user="UseLess" post="85959"]
The other choice you have is to start with a fresh install of 2.0.22 and then install all the mods you have on your current forum, you could also take the oppourtunity to use later/updated versions of the mods.[/quote]

No matter how many MODs you have, it will be easier and safer to simply install a fresh phpBB 2.0.22 and re-installyour mods on it.

Being on 2.0.4 is inexcusable, not because "oh, look at the newbie, he's not up-to-date!" but because you've left yourself open to exploits that any newbie could figure out based on the update changes.

Remember, the updates are like clear signs to some people, for how to "hack" your site. Just get the new version up.
Die wunder dieser welt werden dir geschenkt.

Ò_ó [ b r e a k . s t u f f ] - Finally broken!
User avatar
Synaptic Anarchy
Registered User
Registered User
 
Posts: 294
Joined: Thu Feb 23, 2006 6:51 am
Location: Anarchy


Return to phpBB Support

Who is online

Users browsing this forum: No registered users and 5 guests

cron