blobber wrote: Hi !
This is not really a feature request or bug report, it's rather an idea that we had some time ago because our phpBB-Forum was "hacked" by some sick soul who thought it would be cool to exploit some of the -back then- well documented security weaknesses of phpBB in order to put some harm to our forum.
So, said person used an exploit to inject malicious SQL code into phpBB - which resulted in the loss of a couple of hundreds of postings - cause the last backup was already 3 weeks old.
Meanwhile, we have tried to permanently update our board software, however we realize that something like that could happen anytime again, hence we do regular daily backups, too - on the other hand, most of us being familiar with php, too - we thought about potential ways to make such an attack at least (a bit) more complicated for the average script kiddie.
So, the following is what we have come up with, so far - and we'd really like to get some feedback and opinions from you guys about all this, and how feasible you think it would be to implement the following functionality within phpBB:
The major idea is to use a central database access object that's inherited from any of PHP's standard db access objects, however we'd like to extend the baseclass in a manner to allow SQL statement verfication and -validation.
Basically, this would mean that any function/method in any script that sends SQL queries to the database, would have some hardcoded way to determine what SQL statements are valid for the corresponding function and method.
So, despite from the usual query string, there would be also an associative array containing SQL statements/commands that are valid for a function/method.
The actual query method would then not directly execute the query string by sending it to the db, but rather do some simple "pre-parsing", or checking - by comparing the actual query string with the conditions that are additionally provided by each function.
While most of the parsing could become relatively complex with some functions, some more advanced usage of regex checking should be suitable to determine whether a SQL statement matches the conditions or not.
Basically, this would mean that each SQL query would additionally provide its own "context" to the parent SQL object, which is first checked - so that the SQL query is only run if the conditions are met.
So, we would end up having a simple syntax checker for most purposes that could also check the type of arguments and possibly even contain a "blacklist" of non-allowed statements.
The latter might come in handy by default for those scripts or functions that need only read-access and don't need write access, for example: to display the member list, there won't be any need to make use of SQL statements such as "UPDATE, INSERT, DROP" etc.
An attacker would hence not only have to find a security hole within the source code itself, but would also need to find such a security hole within certain modules of the source code that do have the necessary "priviledges" to actually pass such "active" (writing/modifying) SQL statements to the database.
Despite from the general layout as described above, one could also additionally provide custom regex statements that apply only to certain functions/methods, this would be mainly useful to really check complex SQL statements that might rely on a variable subset of SQL statements, depending on the current execution mode - so, one could even do some simple "structure checking" in order to validate a SQL statement, despite from the actual "vocabulary" of the query string itself.
So, even though this could theoretically also be overridden, we'd think that it might make some sorts of attacks a lot harder, however we are not too familiar with phpBB's internals and would hence love to get some feedback of those people who are really involved in the development process.
Please feel free to make any comments or ask for further clarification - if necessary.
P.S.: Sorry if this is a double posting, I didn seem to succeed posting at first ... either there's some activation thing required or I am doing something else wrong ...