Sub Menu
Links Menu
Online Users

In total there are 305 users online :: 3 registered, 0 hidden and 302 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot] based on users active over the past 60 minutes

User Registration Security Hole

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

User Registration Security Hole

PostAuthor: jwernerny » Fri Sep 15, 2006 4:54 am

I have been having some problems with getting bogus Spam Accounts (my word) signing up in my forum. After digging into the problem some more, I have found what looks like some sort of injection hack being used.

The forum is setup with with the profilcp images required. It also requires the security question and answer. If I try to skip them from the webpage, the scripts complain. But, I have bogus accounts that appear to be machine generated. (The same user name is registered on 20,000+ sites in 3 days!)

Looking through the raw SQL database and my logs, discovered two interesting things.

1. All of the bogus accounts have no security question.

2. From my logs, it looks like they are doing an end-around insertion

Code: Select all
211.191.97.246 - - [15/Sep/2006] "GET /forum/profile.php?mode=register&agreed=true HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"    ***MARK***211.191.97.246 - - [15/Sep/2006:00:05:06 -0400] "POST /forum/profile.php HTTP/1.1" 302 - "http://snowtire.info/forum/profile.php?mode=register&agreed=true" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"  


My guesss is that there is an exploit around this.

Looking through google, I see that several other sites are reporting DDOS attacks with the string "/forum/profile.php?mode=register&agreed=true"

A further look gives some sites that appear to claim to have exploits against phpbb. I can't view them from here since they are blocked.

- John
Last edited by jwernerny on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
jwernerny
Members
Members
 
Posts: 87
Likes: 0 post
Liked in: 0 post
Joined: Wed Apr 12, 2006 3:58 am
Cash on hand: 0.00
Location: Fairport, NY

PostAuthor: Michaelo » Mon Oct 09, 2006 6:19 pm

This exploit does not work in 1.4.1... what is the affect in 1.4.0?
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

PostAuthor: jwernerny » Wed Oct 11, 2006 11:15 am

It looks like the exploit purpose is to inject a new users into the forum database without them going through the registration (and image verificaiton) process. I have been getting 4 to 5 users who somehow managed to register without filling in required fields. My guess is that it is using this.

I can't wait to get my hands on 1.4.1 (or KisMod) and see if upgrading stops that.
Last edited by jwernerny on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
jwernerny
Members
Members
 
Posts: 87
Likes: 0 post
Liked in: 0 post
Joined: Wed Apr 12, 2006 3:58 am
Cash on hand: 0.00
Location: Fairport, NY

PostAuthor: odius » Thu Oct 12, 2006 7:13 pm

so whats the plan until then, or for who doesnt wanna bother updating ? will there be an upgrade to kismod or does the who package have to be replaced, and site content manually restored??

I'm guessing the injection problems can all b blocked with proper .htaccess entrys??
Last edited by odius on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

odius
Newbie
Newbie
 
Posts: 28
Likes: 0 post
Liked in: 0 post
Joined: Tue May 02, 2006 12:14 pm
Cash on hand: 0.00

PostAuthor: Michaelo » Thu Oct 12, 2006 7:33 pm

If you post your copy of profile.php here I can check for exploit... 1.4.1 does not have mode = register in profiles.php ?
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

Re: User Registration Security Hole

PostAuthor: Dioncecht » Fri Oct 13, 2006 9:44 am

until 1.4.1 is realeased, I'll just delete the bogus accounts. I only get about 5 a day
Last edited by Dioncecht on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
'We keep moving forward, opening new doors, and doing new things, because we're curious and curiosity keeps leading us down new paths.' - Walt Disney

[img=left]http://rpghq.org/banner2.jpg[/img]
[url=http]The RPG Headquarters. The RPG capitol of the net![/url]
User avatar
Dioncecht
Sr Integra Member
Sr Integra Member
 
Posts: 244
Likes: 0 post
Liked in: 0 post
Joined: Sun Apr 09, 2006 4:23 pm
Cash on hand: 0.00

Re: User Registration Security Hole

PostAuthor: odius » Fri Oct 13, 2006 11:20 pm

this is 1.4
with phpbb 2.19

<?php

/***************************************************************************

* profile.php

* -----------

* begin : 08/05/2003

* copyright : Ptirhiik

* email : <a>admin@rpgnet-fr.com</a>

*

* version : 1.0.9 - 17/10/2003

*

***************************************************************************/



define('IN_PHPBB', true);

$phpbb_root_path = './';

include($phpbb_root_path . 'extension.inc');

include($phpbb_root_path . 'common.'.$phpEx);

include($phpbb_root_path . 'includes/functions_points.'.$phpEx);

include($phpbb_root_path . 'profilcp/functions_profile.'.$phpEx);



include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);

include($phpbb_root_path . 'includes/functions_validate.'.$phpEx);

include($phpbb_root_path . 'includes/functions_post.'.$phpEx);

include($phpbb_root_path . 'includes/bbcode.'.$phpEx);

include($phpbb_root_path . 'includes/emailer.'.$phpEx);

include_once($phpbb_root_path . 'includes/functions_topics_list.' . $phpEx);



//

// Start session management

$userdata = session_pagestart($user_ip, PAGE_PROFILE);

init_userprefs($userdata);



//

// Set default email variables

//

$script_name = preg_replace('/^/?(.*?)/?$/', '1', trim($board_config['script_path']));

$script_name = ( $script_name != '' ) ? $script_name . '/profile.'.$phpEx : 'profile.'.$phpEx;

$server_name = trim($board_config['server_name']);

$server_protocol = ( $board_config['cookie_secure'] ) ? 'https://' : 'http://';

$server_port = ( $board_config['server_port'] <> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/';



$server_url = $server_protocol . $server_name . $server_port . $script_name;



//

// get viewed user id

$view_user_id = ANONYMOUS;

if ( isset($HTTP_POST_VARS[POST_USERS_URL]) || isset($HTTP_GET_VARS[POST_USERS_URL]) )

{

$view_user_id = isset($HTTP_POST_VARS[POST_USERS_URL]) ? intval($HTTP_POST_VARS[POST_USERS_URL]) : intval($HTTP_GET_VARS[POST_USERS_URL]);

}

if ($view_user_id==ANONYMOUS) $view_user_id = $userdata['user_id'];



//

// get the menu

$dir = @opendir($phpbb_root_path . "profilcp");

$setmodules = true;

while( $file = @readdir($dir) )

{

if( preg_match("/^profilcp_.*?." . $phpEx . "$/", $file) )

{

include($phpbb_root_path . "profilcp/" . $file);

}

}

@closedir($dir);



unset($setmodules);

//

// sort

for ($i=0; $i <count>sql_query($sql))

{

message_die(GENERAL_ERROR, 'Couldn't obtain user information.', '', __LINE__, __FILE__, $sql);

}

if (!$user_row = $db->sql_fetchrow($result) )

{

message_die(GENERAL_ERROR, $lang['No_such_user']);

}



// get curopt

$curopt = -1;

for ($i=0; ( ($i < count($module['mode'])) && ($curopt < 0) ); $i++ )

{

if ($mode == $module['mode'][$i])

{

$curopt = $i;

}

}



// sub-option

if ( !isset($module['sub'][$curopt]['mode']) || !in_array($sub, $module['sub'][$curopt]['mode']) )

{

$sub = '';

}



// get cur subopt

$cur_subopt = -1;

for ($i=0; ( ($i < count($module['sub'][$curopt]['mode'])) && ($cur_subopt < 0) ); $i++ ) if ($sub == $module['sub'][$curopt]['mode'][$i]) $cur_subopt = $i;

if ( ($cur_subopt <0> 0) )

{

$cur_subopt = 0;

$sub = $module['sub'][$curopt]['mode'][0];

}



// action

$set = '';

if ( isset($HTTP_POST_VARS['set']) || isset($HTTP_GET_VARS['set']) )

{

$set = isset($HTTP_POST_VARS['set']) ? $HTTP_POST_VARS['set'] : $HTTP_GET_VARS['set'];

}

$no_header = in_array($set, array('add', 'remove'));



// Control

$submit = ( isset($HTTP_POST_VARS['submit']) || (($mode=='privmsg') && isset($HTTP_POST_VARS['post'])) );

$reset = isset($HTTP_POST_VARS['reset']);

$remove = isset($HTTP_POST_VARS['remove']);

$adduser = isset($HTTP_POST_VARS['adduser']);

$preview = isset($HTTP_POST_VARS['preview']);

$cancel = isset($HTTP_POST_VARS['cancel']);

$confirm = isset($HTTP_POST_VARS['confirm']);



// privmsg

$save = isset($HTTP_POST_VARS['save']);

$mark_list = ( !empty($HTTP_POST_VARS['mark']) ) ? $HTTP_POST_VARS['mark'] : 0;

$save = ($save && $mark_list && ($sub != 'savebox') && ($sub != 'outbox'));



// reload the user row

$view_userdata = $user_row;



if ($submit || $remove || $adduser || $no_header || $save || $confirm)

{

// session id check

if ( ($sid != $userdata['session_id']) && ($set == '') && !$no_header && !defined('NO_SID'))

{

message_die(GENERAL_ERROR, 'Invalid_session');

}



if ( !empty($module['url'][$curopt]) && empty($module['sub'][$curopt]['url'][$cur_subopt]) )

{

@include( $phpbb_root_path . './profilcp/' . $module['url'][$curopt] );

}

if ( !empty($module['sub'][$curopt]['url'][$cur_subopt]) )

{

include( $phpbb_root_path . './profilcp/' . $module['sub'][$curopt]['url'][$cur_subopt] );

}



if (!$error && !$no_header)

{

$ret_link = append_sid("./profile.$phpEx?mode=$mode" . (($cur_subopt <0>assign_vars(array(

'META' => '<meta>')

);

/* PCP Extra :: Altered

$message = $lang['Profile_updated'] . '<br><br>' . sprintf($lang['Click_return_profilcp'], '<a>', "</a>") . '<br><br>';*/

$message = $lang['Profile_updated'] . '<br><br>' . sprintf($lang['Click_return_profilcp'], '<a>', "</a>", $module['sub'][$curopt]['page_title'][$cur_subopt]) . '<br><br>';

message_die(GENERAL_MESSAGE, $message);

}

}

else if ($cancel)

{

redirect(append_sid("./profile.$phpEx?mode=$mode&sub=$sub"));

}

else

{

// set the page title and include the page header

$page_title = $module['page_title'][$curopt];

if ($cur_subopt >= 0) $page_title .= ' :: ' . $module['sub'][$curopt]['page_title'][$cur_subopt];

include ($phpbb_root_path . './includes/page_header.' . $phpEx);



// template file

$template->set_filenames(array(

'profilcp_header' => 'profilcp/profilcp_header.tpl')

);

//

// menu

$nb_opt = count($module['shortcut']);

if ( $nb_opt < 8 ) $nb_opt = 8;

$width = intval(120 / $nb_opt) +1;

$filler_width = 120 - $width * count($module['shortcut']);

if ($filler_width <0>assign_vars(array(

'NBOPT' => $nb_opt,

'WIDTH' => $width,

'FILLER_WIDTH' => $filler_width,

)

);

if ( $nb_opt > count($module['shortcut']) )

{

$template->assign_block_vars('filleropt', array() );

}



for ($i=0; $i <count> $level_prior[get_user_level($view_userdata)])))) ? 'otheropt' : 'inactopt' );

$template->assign_block_vars('opt', array());

$link = append_sid("./profile.$phpEx?mode=" . $module['mode'][$i] . ( ($view_userdata['user_id'] != ANONYMOUS) ? '&' . POST_USERS_URL . '=' . $view_userdata['user_id'] : '') );

if ( count($module['sub'][$i]['mode']) == 1 )

{

// only one sub-module

$link = append_sid("./profile.$phpEx?mode=" . $module['mode'][$i] . "&sub=" . $module['sub'][$i]['mode'][0] . ( ($view_userdata['user_id'] != ANONYMOUS) ? '&' . POST_USERS_URL . '=' . $view_userdata['user_id'] : '') );

}

$template->assign_block_vars('opt.' . $switch, array(

'SHORTCUT' => $module['shortcut'][$i],

'U_SHORTCUT' => $link,

)

);

}

//

// sub-menu

if ( ($cur_subopt >= 0) && (count($module['sub'][$curopt]['mode']) > 1) )

{

$nb_opt = count($module['sub'][$curopt]['shortcut']);

if ( $nb_opt < 8 ) $nb_opt = 8;

$width = intval(100 / $nb_opt) +1;

$filler_width = 100 - $width * count($module['sub'][$curopt]['shortcut']);

if ($filler_width <0>assign_block_vars('sub_menu', array(

'U_MODULE' => append_sid("./profile.$phpEx?mode=" . $module['mode'][$curopt] . "&sub=$sub" . ( ($view_userdata['user_id'] != ANONYMOUS) ? '&' . POST_USERS_URL . '=' . $view_userdata['user_id'] : '') ),

'L_MODULE' => $module['sub'][$curopt]['page_title'][$cur_subopt],

'NBOPT' => $nb_opt,

'WIDTH' => $width,

'FILLER_WIDTH' => $filler_width,

)

);



if ( $nb_opt > count($module['sub'][$curopt]['shortcut']) )

{

$template->assign_block_vars('sub_menu.filleropt', array() );

}



for ($i=0; $i <count> $level_prior[get_user_level($view_userdata)])))) ? 'otheropt' : 'inactopt' );

$template->assign_block_vars('sub_menu.opt', array());

if ($i <count>assign_block_vars('sub_menu.opt.' . $switch, array(

'SHORTCUT' => $module['sub'][$curopt]['shortcut'][$i],

'U_SHORTCUT' => append_sid("./profile.$phpEx?mode=" . $module['mode'][$curopt] . "&sub=" . $module['sub'][$curopt]['mode'][$i] . ( ($view_userdata['user_id'] != ANONYMOUS) ? '&' . POST_USERS_URL . '=' . $view_userdata['user_id'] : '') ),

)

);

}

}

}



// system info

$s_hidden_fields = '<input>';

$s_hidden_fields .= '<input>';

$s_hidden_fields .= '<input>';

if ( $cur_subopt >= 0) $s_hidden_fields .= '<input>';



$s_pagination_fields = 'mode=' . $mode;

if ($view_user_id != ANONYMOUS)

{

$s_pagination_fields .= '&' . POST_USERS_URL . "=$view_user_id";

}

$s_pagination_fields .= '&sid=' . $userdata['session_id'];

if ($cur_subopt >= 0)

{

$s_pagination_fields .= '&sub=' . $sub;

}



//

// page header constant

if (!isset($nav_separator)) $nav_separator = ' -> ';

$template->assign_vars(array(

'NAV_SEPARATOR' => $nav_separator,

'L_MODULE' => ( ($view_userdata['user_id'] != ANONYMOUS) ? $view_userdata['username'] : $lang['Guest'] ) . ' : ' . $module['page_title'][$curopt],

'U_MODULE' => append_sid("./profile.$phpEx?mode=" . $module['mode'][$curopt] . ( ($view_userdata['user_id'] != ANONYMOUS) ? '&' . POST_USERS_URL . '=' . $view_userdata['user_id'] : '') ),

)

);



// header

$template->pparse('profilcp_header');



// module

if ( !empty($module['url'][$curopt]) && empty($module['sub'][$curopt]['url'][$cur_subopt]) )

{

@include( $phpbb_root_path . './profilcp/' . $module['url'][$curopt] );

}

if ( !empty($module['sub'][$curopt]['url'][$cur_subopt]) )

{

@include( $phpbb_root_path . './profilcp/' . $module['sub'][$curopt]['url'][$cur_subopt] );

}



// footer

$template->set_filenames(array(

'profilcp_footer' => 'profilcp/profilcp_footer.tpl')

);



// sub-menu

if ( $cur_subopt >= 0 )

{

$template->assign_block_vars('sub_menu_b', array());

}

$template->pparse('profilcp_footer');



//

// page_footer

include($phpbb_root_path . './includes/page_tail.'.$phpEx);

}



?>
Last edited by odius on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

odius
Newbie
Newbie
 
Posts: 28
Likes: 0 post
Liked in: 0 post
Joined: Tue May 02, 2006 12:14 pm
Cash on hand: 0.00

Re: User Registration Security Hole

PostAuthor: Aquilo » Fri Nov 17, 2006 5:10 pm

....
"Michaelo";p="16350" wrote:This exploit does not work in 1.4.1... what is the affect in 1.4.0?


"Dioncecht";p="16571" wrote:until 1.4.1 is realeased, I'll just delete the bogus accounts. I only get about 5 a day


Well, actually, we get 3 to 15 a day.... (and its me deleting them, not you, Dion) yep, 3 to 15 every single day... I sure have better things to do with my time then delete bogus user accounts all day

it is pretty frustrating that the support site isn't affected by this (maybe there would already be a fix if it was being affected??) especially since its cuz they've upgraded to a version that isn't available to the rest of us - we are just stuck waiting, and waiting, and waiting <img>
Last edited by Aquilo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
Aquilo
Newbie
Newbie
 
Posts: 7
Likes: 0 post
Liked in: 0 post
Joined: Sat Aug 26, 2006 10:05 am
Cash on hand: 0.00
Location: Warren, MI

Re: User Registration Security Hole

PostAuthor: Frost » Fri Nov 17, 2006 9:53 pm

Um.. I have an idea that may work for you :P
Last edited by Frost on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[size=99px]PhpBB3 Themes[/url] ]PhpBB3 Development Center[/url] [/size]

Frost
Sr Integra Member
Sr Integra Member
 
Posts: 776
Likes: 0 post
Liked in: 0 post
Joined: Wed Sep 13, 2006 1:04 am
Cash on hand: 0.00
Location: Photoshop CS3


Return to Forum Security

Who is online

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot]

cron