phpBB Styles

phpBB community: Styles, MODs, Support

Skip to content

php exploit - fix - MOD format

Problems with forum installation, administration, moderation and other phpBB related support.

Moderator: Moderators

Post a reply

php exploit - fix - MOD format

Postby Greg on Sat Dec 18, 2004 5:12 pm

I did not create the coding for this mod - do not congratulate me it was Cyberalien - I just put it into easymod format
Code: Select all
##############################################################
## MOD Title: Php Exploit Fix
## MOD Author: Cyberalien
## MOD Description: A serious bug was discovered in php in function unserialize(). That bug can be used to cause serious damage to websites that use software that uses that function.Unfortunately phpBB uses that function to store data in cookies, so phpBB can be exploited (so is IPB, vBulletin and almost all other php forum systems).
## MOD Version: 1.0.0
##
## Installation Level: Easy
## Installation Time: 20 minutes
## Files To Edit:
## Included Files:
## Generator: MOD Studio 3.0 Alpha 1 [mod functions 0.2.1677.25348]
##############################################################
## For Security Purposes, Please Check: http://www.phpbb.com/mods/ for the
## latest version of this MOD. Downloading this MOD from other sites could cause malicious code
## to enter into your phpBB Forum. As such, phpBB will not offer support for MOD's not offered
## in our MOD-Database, located at: http://www.phpbb.com/mods/
##############################################################
## Author Notes:
##############################################################
## MOD History:
##
##   2004-05-07 - Version 1.0.0
##
##      - First Stable release. Version 1.0.0 of a MOD is always it's first stable release.
##
##############################################################
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD
##############################################################

#
#-----[ OPEN ]------------------------------------------
#

includes/functions.php
#
#-----[ FIND ]------------------------------------------
#
?>
#
#-----[ BEFORE, ADD ]------------------------------------------
#
function serialize_array($array)
{
   if(!is_array($array))
   {
      return '';
   }
   $str = '';
   foreach($array as $var => $value)
   {
      if($str)
      {
         $str .= '|';
      }
      $str .= $var . '=' . str_replace('|', '', $value);
   }
   return $str;
}

function unserialize_array($str)
{
   $array = array();
   $list = explode('|', $str);
   for($i=0; $i<count($list); $i++)
   {
      $row = explode('=', $list[$i], 2);
      if(count($row) == 2)
      {
         $array[$row[0]] = $row[1];
      }
   }
   return $array;
}

#
#-----[ OPEN ]------------------------------------------
#

index.php
#
#-----[ FIND ]------------------------------------------
#
$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_t"]) : array(); 
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_f"]) : array(); 
#
#-----[ REPLACE ]------------------------------------------
#
$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_t"]) : array(); 
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_f"]) : array(); 
#
#-----[ OPEN ]------------------------------------------
#

posting.php
#
#-----[ FIND ]------------------------------------------
#
         $tracking_topics = ( !empty($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
         $tracking_forums = ( !empty($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
#
#-----[ REPLACE ]------------------------------------------
#
         $tracking_topics = ( !empty($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
         $tracking_forums = ( !empty($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
#
#-----[ FIND ]------------------------------------------
#
         setcookie($board_config['cookie_name'] . '_t', serialize($tracking_topics), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
#
#-----[ REPLACE ]------------------------------------------
#
         setcookie($board_config['cookie_name'] . '_t', serialize_array($tracking_topics), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
#
#-----[ OPEN ]------------------------------------------
#

search.php
#
#-----[ FIND ]------------------------------------------
#
      $result_array = serialize($store_search_data);
#
#-----[ REPLACE ]------------------------------------------
#
      $result_array = serialize_array($store_search_data);
#
#-----[ FIND ]------------------------------------------
#
            $search_data = unserialize($row['search_array']);
#
#-----[ REPLACE ]------------------------------------------
#
            $search_data = unserialize_array($row['search_array']);
#
#-----[ FIND ]------------------------------------------
#
      $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
      $tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
#
#-----[ REPLACE ]------------------------------------------
#
      $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
      $tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
#
#-----[ OPEN ]------------------------------------------
#

viewforum.php
#
#-----[ FIND ]------------------------------------------
#
         $tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
         $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
#
#-----[ REPLACE ]------------------------------------------
#
         $tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
         $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
#
#-----[ FIND ]------------------------------------------
#
            setcookie($board_config['cookie_name'] . '_f', serialize($tracking_forums), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
#
#-----[ REPLACE ]------------------------------------------
#
            setcookie($board_config['cookie_name'] . '_f', serialize_array($tracking_forums), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
#
#-----[ FIND ]------------------------------------------
#
$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : ''; 
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : '';
#
#-----[ REPLACE ]------------------------------------------
#
$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : ''; 
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : ''; 
#
#-----[ OPEN ]------------------------------------------
#

viewtopic.php
#
#-----[ FIND ]------------------------------------------
#
   $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
   $tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
#
#-----[ REPLACE ]------------------------------------------
#
   $tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) : array();
   $tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) : array();
#
#-----[ FIND ]------------------------------------------
#
   setcookie($board_config['cookie_name'] . '_t', serialize($tracking_topics), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
#
#-----[ REPLACE ]------------------------------------------
#
   setcookie($board_config['cookie_name'] . '_t', serialize_array($tracking_topics), 0, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);
#
#-----[ OPEN ]------------------------------------------
#

includes/sessions.php
#
#-----[ FIND ]------------------------------------------
#
      $sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
#
#-----[ REPLACE ]------------------------------------------
#
      $sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize_array(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
#
#-----[ FIND ]------------------------------------------
#
   setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
#
#-----[ REPLACE ]------------------------------------------
#
   setcookie($cookiename . '_data', serialize_array($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
#
#-----[ FIND ]------------------------------------------
#
      $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
#
#-----[ REPLACE ]------------------------------------------
#
      $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ? unserialize_array(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
#
#-----[ FIND ]------------------------------------------
#
               setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
#
#-----[ REPLACE ]------------------------------------------
#
               setcookie($cookiename . '_data', serialize_array($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM
Last edited by Greg on Tue Jan 25, 2005 9:34 pm, edited 2 times in total.
User avatar
Greg
Registered User
Registered User
 
Posts: 651
Joined: Wed Jul 07, 2004 3:20 pm
Location: Yorkshire, United Kingdom
Top

Postby PostBot on Sat Dec 18, 2004 5:21 pm

Stickied and fixed code layout. :wink:
Do NOT pm me, I don't visit this forum anymore, don't own it, don't provide any support and don't moderate.
User avatar
PostBot
Moderator
Moderator
 
Posts: 10659
Joined: Sat Aug 02, 2003 3:52 pm
Location: Mars
Top

Postby Subz on Sat Dec 18, 2004 9:26 pm

Code: Select all

#
#-----[ OPEN ]------------------------------------------
#

index.php
#
#-----[ FIND ]------------------------------------------
#

$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_t"]) : array(); 
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_f"]) : array(); 

#
#-----[ AFTER, ADD ]------------------------------------------
#

$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_t"]) : array(); 
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_f"]) : array(); 

#



but should be

Code: Select all
#
#-----[ OPEN ]------------------------------------------
#

index.php

#
#-----[ FIND ]------------------------------------------
#

$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_t"]) : array(); 
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_f"]) : array(); 

#
#-----[ REPLACE WITH]------------------------------------------
#

$tracking_topics = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_t']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_t"]) : array(); 
$tracking_forums = ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_f']) ) ? unserialize_array($HTTP_COOKIE_VARS[$board_config['cookie_name'] . "_f"]) : array(); 

#
User avatar
Subz
Registered User
Registered User
 
Posts: 924
Joined: Sat Aug 21, 2004 12:54 am
Location: North London
Top

Postby PostBot on Sat Dec 18, 2004 9:35 pm

Thanks for noticing. There was such error in 2 places. :)
I've updated .mod in Greg's post, but he will have to update file on his server himself.
Do NOT pm me, I don't visit this forum anymore, don't own it, don't provide any support and don't moderate.
User avatar
PostBot
Moderator
Moderator
 
Posts: 10659
Joined: Sat Aug 02, 2003 3:52 pm
Location: Mars
Top

Postby Greg on Sat Dec 18, 2004 9:38 pm

Ok,

Sorry about that

Ctrl + C must have failed - I hate it when it does that

Greg
User avatar
Greg
Registered User
Registered User
 
Posts: 651
Joined: Wed Jul 07, 2004 3:20 pm
Location: Yorkshire, United Kingdom
Top

Question

Postby PaRRoT on Sun Dec 19, 2004 11:39 am

Only PHP versions prior to 4.3.10 have this exploit?
PaRRoT
Registered User
Registered User
 
Posts: 5
Joined: Fri Dec 17, 2004 10:24 pm
Top

Postby PostBot on Sun Dec 19, 2004 11:41 am

PHP 4 prior to 4.3.10 and PHP 5 prior to 5.0.3
Do NOT pm me, I don't visit this forum anymore, don't own it, don't provide any support and don't moderate.
User avatar
PostBot
Moderator
Moderator
 
Posts: 10659
Joined: Sat Aug 02, 2003 3:52 pm
Location: Mars
Top

Postby PaRRoT on Sun Dec 19, 2004 11:42 am

Ok, tnx :)

My server has PHP 4.3.10 :)
PaRRoT
Registered User
Registered User
 
Posts: 5
Joined: Fri Dec 17, 2004 10:24 pm
Top

Postby pentapenguin on Sun Dec 19, 2004 6:46 pm

A BIG thanks guys for fixing this!
Thanks!!!! :mrgreen: :mrgreen: :mrgreen:
User avatar
pentapenguin
Moderator
Moderator
 
Posts: 1466
Joined: Tue Sep 14, 2004 4:15 pm
Location: Georgia, USA
Top

Postby kurisu on Tue Dec 21, 2004 8:53 pm

I cannot express how much I appreciate this, you have possibly saved me from a myriad of woes until my host can upgrade PHP. Thank you, thank you, THANK YOU!
kurisu
Registered User
Registered User
 
Posts: 8
Joined: Mon Jun 28, 2004 12:36 am
Location: hagerstown, maryland
Top

Postby PostBot on Thu Dec 23, 2004 12:38 am

You forgot to add code to functions.php
Do NOT pm me, I don't visit this forum anymore, don't own it, don't provide any support and don't moderate.
User avatar
PostBot
Moderator
Moderator
 
Posts: 10659
Joined: Sat Aug 02, 2003 3:52 pm
Location: Mars
Top

Quick question

Postby Ross on Thu Dec 23, 2004 4:21 pm

My hosting company was running php ver 4.3.9. So I installed above fixes (see first post in this tread). I am also running Plus 1.52 phpBB 2.0.11.
Now my hosting company just upgraded to php 4.3.10 for me.

My question is: Should I now remove above fix or leave it installed?
Ross
Registered User
Registered User
 
Posts: 2
Joined: Thu Dec 23, 2004 4:11 pm
Location: Warren,Michigan,USA
Top

Postby PostBot on Thu Dec 23, 2004 5:16 pm

It doesn't make any difference. So far I haven't seen any mod that this code might conflict with.
Do NOT pm me, I don't visit this forum anymore, don't own it, don't provide any support and don't moderate.
User avatar
PostBot
Moderator
Moderator
 
Posts: 10659
Joined: Sat Aug 02, 2003 3:52 pm
Location: Mars
Top

Postby Ross on Thu Dec 23, 2004 6:39 pm

Thanks for the quick reply CyberAlien.
Ross
Registered User
Registered User
 
Posts: 2
Joined: Thu Dec 23, 2004 4:11 pm
Location: Warren,Michigan,USA
Top

Postby Joe Belmaati on Sat Dec 25, 2004 12:59 pm

For those interested, this cool mod breaks the cookie bridge for those people using the Coppermine Photo Gallery in conjunction with phpbb. There's a neat workaround for this. In the bridge file, add CyberAlien's serialize/unserialize function in the Coppermine phpbb bridge file.

Before:
Code: Select all
function udb_authenticate()


Add:

Code: Select all
function serialize_array($array)
{
   if(!is_array($array))
   {
       return '';
   }
   $str = '';
   foreach($array as $var => $value)
   {
       if($str)
       {
           $str .= '|';
       }
       $str .= $var . '=' . str_replace('|', '', $value);
   }
   return $str;
}

function unserialize_array($str)
{
   $array = array();
   $list = explode('|', $str);
   for($i=0; $i<count($list); $i++)
   {
       $row = explode('=', $list[$i], 2);
       if(count($row) == 2)
       {
           $array[$row[0]] = $row[1];
       }
   }
   return $array;
}


Then further down in that file, change

Code: Select all
unserialize(


to:
Code: Select all
unserialize_array(
User avatar
Joe Belmaati
Registered User
Registered User
 
Posts: 148
Joined: Tue Sep 07, 2004 9:26 pm
Location: Copenhagen, Denmark
Top
Next
Post a reply

Return to phpBB Support

Who is online

Users browsing this forum: Bing [Bot] and 0 guests

Powered by WSE © 2000, 2002, 2005, 2007 phpBB Group
cron