PhpBB worms feeding frenzy

It looks like it is going to be a bleak year for PhpBB securitywise , do not get me wrong however , i am a big fan of the software and it is the bulletin board that i will always use.

With not less than 3 major security vulnerabilities in the last 3 months and still hundreds of unpatched installations providing a rich meal for the growing number of phpbb worms , i was recently to discover that some of my phpbb installations were on the menu.

It was about one hour into 27 feb when i took a quick glance on my server logmon screen on my way to bed , and i could not feel unstartled by the chr(32)%252Echr(113)…. strings i see in some recent http requests when the error log prints some messages about writing to /tmp/ , now there is no doubt , i stop apache , kill perl and the shell bot running under it , clear /tmp and start googling.

Introducing CAN-2004-1315 and the Santy/AWS worm variant by some brazilian hackers that with it compromised my system and tried to make it just another zombie on their botnet that the kind people at SANS promtly closed down after my report

Now fast forward to today , i am now all upgraded from phpbb 2.0.5 to 2.0.12 but that does not make me less curious when i see messages about failing to allocate memory , issue i am aware of occuring when doing phpbb backups , but i am not doing any

Introducing CAN-2005-0614 , as i have not upgraded to PhpBB 2.0.13 yet now anyone can perform administrative tasks on my board
Well that by itself is not a security conpromise for my machine , BUT , introducinghttp://www.securityfocus.com/bid/7932 , so it seems that anyone having phpbb admin privileges can also run codeCAN-2004-1235 ) on my machine (and they did) .

Evidently i am now all patched and upgraded to 2.0.13 , one day short of my time for cleaning the box and really concerned about the security future of phpbb as at this time there is still no patch to stop a user with legitimate admin privileges from executing shell code on your system trough admin_styles.php .

So until that is fixed , make sure you trust your phpbb admins .

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s