02 February 2007, 18:36

PHP forum systems inherit phpBB vulnerability

Various phpBB based forum systems have inherited the phpbb_root_path vulnerability. In statements like -

include_once ($phpbb_root_path . 'common.php');

- they assume that the variable points to the root path of the installation, but if register_globals is on, the variable could be changed to point to another server. The statement above would then lead to the inclusion of code from that server.

A hacker using the pseudonym Xoron (real name Mehmet Ince) has disclosed on mailing lists that there are such vulnerabilities in Omegaboard, Cerulean Portal System, phpBB Tweaked, Hailboards, EclipseBB and Xero Portal. Exploits are available for some forum systems that could permit an attacker to remotely upload and execute arbitrary malicious code on affected systems.

Some of the original postings by Xoron are not easy to find, however security services providers such as FrSIRT or SecurityFocus refer to vulnerabilities apparently discovered by him. The bugs are all in the latest versions of the relevant forum systems. Whether or not patches are available is not known.

Entering "hacked by xoron" into a search engine quickly reveals that the man is no slouch in utilising his exploit. Sites defaced include a TU Dresden genetics forum. Some of the web pages of the projects behind the affected forums, for example Cerulean, are also currently offline. Whether this is related to the exploits is not clear.

Exploiting the phpbb_root_path vulnerability is trivial. Even where no exploit is available, old exploits for other systems are easily adapted or may even be able to be used unchanged. Operators of phpBB based forum systems should definitely protect their systems. The most important precaution against exploits using the phpbb_root_path vulnerability is to set the register_globals = off option in the PHP configuration file php.ini.