While phpBB are currently finding a patch for phpBB 2.0.11 visit here,
http://lists.netsys.com/pipermail/full- ... 30279.html" target="_blank
new phpBB worm affects 2.0.11
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
-
NeoThermic
- Registered User
- Posts: 198
- Joined: Fri Jan 02, 2004 3:44 pm
- Location: United Kingdom
- Contact:
Re: new phpBB worm affects 2.0.11
Thats the highlight attack (based on the urldecode issue). Since urldecode was removed from highlight string processing in 2.0.11, this does NOT affect 2.0.11. Either the poster hadn't upgraded properly, or had upgraded late and then found the scripts on his server.
NeoThermic
NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
Re: new phpBB worm affects 2.0.11
/me starts to become increasingly annoyed at the FUD being thrown around here today.
That looks just like the highlighting exploit. It was fixed in 2.0.11 last year. Heck the date of that post was last December. We are unaware, let me repeat that unaware of any exploit in 2.0.11 that still involves highlighting source in viewtopic. AFAIK, unless I've been told nonsense by the rest of my and our other teams this issue is fixed.
Now, let's look at what that script appears to do shall we?
First it creates a URL containing viewtopic.php with a random topic_id. It then performs a search (still using Google by the looks) for any link containing said url. It pulls all links on the returned results page. It eliminates certain url's which are not likely real boards. Not entirely sure what the Yahoo search is about, perhaps a workaround given Google are blocking such requets now. It goes on to craft the relevant url making use of the highlighting exploit. It proceeds to go after each discovered site ... end. The other scripts are those which this exploit installs.
Now as I said, unless all that I've been told by my teams is utter rubbish this exploit was successfully addressed in 2.0.11. Indeed we're not aware of any confirmed attack on 2.0.11. People saying they have been attacked are more than likely; confusing the appearance of the exploit in their logs with an actual successful attack; have failed to properly update their install, are running on a shared host which has failed to take appropriate security measures and/or informed/forced all their users to upgrade, are running other applications which are vulnerable including other board software, had suffered an intrusion before updating to 2.0.11 and have failed to clean up after said intrusion.
That looks just like the highlighting exploit. It was fixed in 2.0.11 last year. Heck the date of that post was last December. We are unaware, let me repeat that unaware of any exploit in 2.0.11 that still involves highlighting source in viewtopic. AFAIK, unless I've been told nonsense by the rest of my and our other teams this issue is fixed.
Now, let's look at what that script appears to do shall we?
First it creates a URL containing viewtopic.php with a random topic_id. It then performs a search (still using Google by the looks) for any link containing said url. It pulls all links on the returned results page. It eliminates certain url's which are not likely real boards. Not entirely sure what the Yahoo search is about, perhaps a workaround given Google are blocking such requets now. It goes on to craft the relevant url making use of the highlighting exploit. It proceeds to go after each discovered site ... end. The other scripts are those which this exploit installs.
Now as I said, unless all that I've been told by my teams is utter rubbish this exploit was successfully addressed in 2.0.11. Indeed we're not aware of any confirmed attack on 2.0.11. People saying they have been attacked are more than likely; confusing the appearance of the exploit in their logs with an actual successful attack; have failed to properly update their install, are running on a shared host which has failed to take appropriate security measures and/or informed/forced all their users to upgrade, are running other applications which are vulnerable including other board software, had suffered an intrusion before updating to 2.0.11 and have failed to clean up after said intrusion.
Re: new phpBB worm affects 2.0.11
seems to me icoweb knows more about the work that is going on then the workers themselves.. 8Oicoweb wrote: While phpBB are currently finding a patch for phpBB 2.0.11
-- this space for rent --
Re: new phpBB worm affects 2.0.11
icoweb in his/her postings thus far has proved to be nothing but an SMF-stooge. And while I do not wish to besmirch the fine work [Unknown] and the rest of the SMF team have done ... to compare phpBB, a board available for several years and used by thousands of sites to one which has been available but a short time and is used by a small proportion of sites is just an utterly rediculous thing to do.
-
eqbeastlord
- Registered User
- Posts: 10
- Joined: Tue Aug 12, 2003 8:06 pm
Re: new phpBB worm affects 2.0.11
Someone needs to find out how to use this exploit to update people's code to the current version of phpbb! That'd solve the problem 
Re: new phpBB worm affects 2.0.11
I believe there actually was a "friendly worm" that patched 2.0.<11 boards without permission. Ofcourse even this worm can create (unintended) security holes.
Re: new phpBB worm affects 2.0.11
Hi, i am new to PHPBB. I admin a site which had phpbb running.
but i applyed phpbb2.11 now.
do i have to upgrade the 2.12 now,
please explain.
thanks
but i applyed phpbb2.11 now.
do i have to upgrade the 2.12 now,
please explain.
thanks
Re: new phpBB worm affects 2.0.11
Hi,
you are posting in the phpBB 2.1 development board, 2.1 is a new version of phpBB which will be available later this year. The boards for phpBB 2.0 can be found at http://www.phpbb.com," target="_blank you will get more support for your questions there.
However, to adress your question now: ...As I am just seeing, you should urgently upgrade to 2.0.13!
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563" target="_blank
[edit]To give your original question a more thorough answer. Here's a list of changes from .11 to .12 . However, please keep in mind that you urgently should update to .13!
Added confirm table to admin_db_utilities.php
Prevented full path display on critical messages
Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
Fixed arbitrary file unlink vulnerability in avatar handling functions - AnthraX101
Removed version number from powered by line
Merged database update files to update_to_latest.php file
Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer
you are posting in the phpBB 2.1 development board, 2.1 is a new version of phpBB which will be available later this year. The boards for phpBB 2.0 can be found at http://www.phpbb.com," target="_blank you will get more support for your questions there.
However, to adress your question now: ...As I am just seeing, you should urgently upgrade to 2.0.13!
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563" target="_blank
[edit]To give your original question a more thorough answer. Here's a list of changes from .11 to .12 . However, please keep in mind that you urgently should update to .13!
Added confirm table to admin_db_utilities.php
Prevented full path display on critical messages
Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
Fixed arbitrary file unlink vulnerability in avatar handling functions - AnthraX101
Removed version number from powered by line
Merged database update files to update_to_latest.php file
Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer
Re: new phpBB worm affects 2.0.11
Hi!
I think, the FUD about the hacked 2.0.11-Boards are Boards, which run actualy a version < 2.0.11, but have just run the update_to_latest.php. You should store the version number somewhere in the files and lock the board if the version numbers in the files and database are not the same. Like you do, if the contrib or install directory is present.
A friend of mine made the this mistake. Okay, it was naive not to read the INSTALL.html and not to read the message of the database update script, but you should think about the admins without good english knowlage (like me
) and the lazy ones.
iGEL
I think, the FUD about the hacked 2.0.11-Boards are Boards, which run actualy a version < 2.0.11, but have just run the update_to_latest.php. You should store the version number somewhere in the files and lock the board if the version numbers in the files and database are not the same. Like you do, if the contrib or install directory is present.
A friend of mine made the this mistake. Okay, it was naive not to read the INSTALL.html and not to read the message of the database update script, but you should think about the admins without good english knowlage (like me
) and the lazy ones.iGEL