1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: PHPBB URL Decode SQL Injection

Web Attack: PHPBB URL Decode SQL Injection

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This event indicates an attempt to exploit vulnerabilities in phpBB open-source application.

Additional Information

phpBB is an open-source web forum application that is written in PHP and supported by a number of database products. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

The 'viewtopic.php' phpBB script is prone to a remote PHP script injection vulnerability as well as a remote input validation vulnerability due to a failure in the urldecode function reportedly affects phpBB.

A remote input validation vulnerability due to a failure in the urldecode function reportedly affects phpBB. This issue is due to a failure to filter critical characters from user-supplied input.

This script injection issue is due to a failure to filter critical characters from user-supplied input.

This input validation issue is due to a failure of the application to properly sanitize user-supplied URI parameters before using them to construct dynamically generated web pages.

The script injection problem presents itself when a malicious user provides specially formatted URL encoded data to the vulnerable script through the 'highlight' parameter. This may allow a remote attacker to execute arbitrary commands in the context of the web server that is hosting the vulnerable software. This issue may also potentially be exploited to trigger SQL injection attacks, this is not confirmed.

The input validation problem presents itself as the urldecode function used to filter potentially malicious content from user-supplied input fails to properly translate user-specified input. Specifically all '%2527' strings are translated to '%27', corresponding to the single quote character. Apparently the application fails to properly escape this character once translated, facilitating SQL injection and potentially PHP code execution.

**Update: These vulnerabilities are being actively exploited by the Perl.Santy.* worms

Affected

  • Gentoo Linux
  • phpBB Group phpBB 1.0.0, 1.2.0, 1.2.1, 1.4.0, 1.4.1, 1.4.2, 1.4.4, 2.0 Beta 1, 2.0 RC1, 2.0 RC2, 2.0 RC3, 2.0 RC4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.6 c, 2.0.6 d, 2.0.7, 2.0.7 a, 2.0.8
  • PNphpBB PNphpBB 1.2, 1.2 f, 1.2 g

Response

Workaround:

A temporary workaround is available at the following location:
howdark.com exploits - follow up

Additionally it is suggested that customers using mod_security may employ the following line to help prevent attacks. The viability of this workaround is not verified by Symantec:

SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)s*("

Solution:

Gentoo has released a security advisory (GLSA 200411-32) and an updated eBuild to address this vulnerability. Gentoo users are advised to execute the following sequence of commands as a superuser in order to apply the updates:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/phpbb-2.0.11"

The vendor has released an update to address this vulnerability:

phpBB Group phpBB 1.0 .0:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB-2.0.9.zip
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 1.2 .0:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB-2.0.9.zip
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 1.2.1:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB-2.0.9.zip
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 1.4 .0:
phpBB Group Upgrade phpBB 1.4.1
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB-2.0.9.zip
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 1.4.1:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB-2.0.9.zip
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 1.4.2:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB-2.0.9.zip
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 1.4.4:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB-2.0.9.zip
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0 Beta 1:
phpBB Group Upgrade phpBB-2.0-RC4.tar.gz
phpBB Group Upgrade phpBB 2.0.1
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0 RC1:
phpBB Group Upgrade phpBB-2.0-RC4.tar.gz
phpBB Group Upgrade phpBB 2.0.1
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0 RC2:
phpBB Group Upgrade phpBB-2.0-RC4.tar.gz
phpBB Group Upgrade phpBB 2.0.1
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0 RC3:
phpBB Group Upgrade phpBB-2.0-RC4.tar.gz
phpBB Group Upgrade phpBB 2.0.1
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0 RC4:
phpBB Group Upgrade phpBB 2.0.1
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0 .0:
phpBB Group Upgrade phpBB 2.0.1
phpBB Group Upgrade phpBB 2.0.2
phpBB Group Upgrade phpBB 2.0.3
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.8.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.1:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.8.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.2:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.8.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.3:
phpBB Group Upgrade phpBB 2.0.4
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.8.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.4:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.8.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.5:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.8.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.6:
phpBB Group Upgrade phpBB-2.0.6.zip
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.8.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.6 c:
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.8.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.6 d:
phpBB Group Upgrade phpBB 2.0.7
phpBB Group Upgrade phpBB-2.0.8.zip
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.7:
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.7 a:
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11

phpBB Group phpBB 2.0.8:
phpBB Group Upgrade phpBB-2.0.9.zip
phpBB Group Upgrade phpBB-2.0.10
Xore Upgrade CashMod222.zip
phpBB Group Upgrade phpBB 2.0.11
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube