Security Incidents mailing list archives
Re: Worm hitting PHPbb2 Forums
From: Chris Ess <securityfocus () cae tokimi net>
Date: Tue, 21 Dec 2004 14:14:36 -0500 (EST)
Funny enough, I got a message from a former employer about this worm yesterday- a box I had setup that had hardened php on it got hit hard by this worm. I must've misread the advisory as I was under the impression that the Hardened PHP patches protected PHP through canary values from this bug? Or does it use more than just unserialize() (i.e. realpath() )
This worm appears to have nothing to do with the bugs fixed in versions 4.3.10 and 5.0.3 of PHP. The bug occurs in this line in viewtopic.php in phpBB2: (Formatting changed to make it look pretty. It's line 1109 in phpBB2 2.0.10) $message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1)); The 'e' flag on the regex pattern tells it to interpret the statement as valid PHP code and run it. (Reference is: http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php) The bug that is exploited works in such a way that it actually runs the command that is passed through the highlight GET variable. I'm not 100% sure how this works since I haven't had the chance to correlate the strings recorded in apache's access log with the above code. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician)
Current thread:
- Worm hitting PHPbb2 Forums L. Walker (Dec 21)
- Re: Worm hitting PHPbb2 Forums mark (Dec 21)
- Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
- Re: Worm hitting PHPbb2 Forums lists (Dec 21)
- Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
- Re: Worm hitting PHPbb2 Forums lists (Dec 21)
- Re: Worm hitting PHPbb2 Forums Barrie Dempster (Dec 21)
- Re: Worm hitting PHPbb2 Forums lists (Dec 21)
- <Possible follow-ups>
- RE: Worm hitting PHPbb2 Forums Christopher Adickes (Dec 21)
- RE: Worm hitting PHPbb2 Forums Mike (Dec 21)
- RE: Worm hitting PHPbb2 Forums M. Shirk (Dec 22)