Login   |   ITaP Home

 

ITNS ADVISORY ITNS-2005-030401 phpBB, March 4, 2005

phpBB Vulnerability

Original release date: 3/4/2005
Last revised: 3/4/2005
Source: Purdue IT Security and Policy
URL: http://www.itap.purdue.edu/security/

CONTENTS
-------------------
1.   SYSTEMS AFFECTED
2.   OVERVIEW
3.   DETAILED DESCRIPTION
4.   IMPACT AND ACTIONS
5.   SOLUTION
6.   FURTHER INFORMATION
7.   IT SECURITY AND POLICY CONTACT INFORMATION

SYSTEMS AFFECTED
--------------------
Web servers running versions of phpBB prior to 2.0.12.

OVERVIEW
--------------------

Exploits of flaws in phpBB may result in remote compromise of the web server user account as well as disclosure of the webroot path.

DETAILED DESCRIPTION
-----------------------

A new exploit in phpbb may allow attackers to exploit phpBB's autologind variable to gain the rights of the web server user. In addition, "viewtopic.php" can be used to disclose the webroot path.

This vulnerability has been exploited on campus. Behavior in this and similar incidents includes addition of IRC flood and DDoS tools as well as attempts to gain root access to the system using normal rootkit utilities.

Additional details of the changes made in phpbb 2.0.13 can be found at: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563

IMPACT AND ACTIONS ---------------------

Systems running phpBB may have their web user account compromised. Systems that are not properly patched or secured may have further exploits attempted, including, but not limited to rootkit installation and/or compromise of root if a vulnerability exists that the attackers can exploit.

Server administrators are advised to review their access logs for abnormal accesses involving autologind and viewtopic.php.

SOLUTION
--------------------

Immediately update to phpBB 2.0.13 from http://www.phpbb.com.

FURTHER INFORMATION
--------------------

Analysis of the vulnerabilities can be found at: http://www.k-otik.com/english/advisories/2005/0212

Announcement by the phpbb developers: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563

IT SECURITY AND POLICY CONTACT INFORMATION
------------------------------------------
Purdue University IT Security and Policy can be contacted at:
itap-securityhelp@purdue.edu

Abuse incidents can be reported to: abuse@purdue.edu

If you believe that a crime has been committed, please contact your local police department.