phpBB exploit

[hobbes747]

I'm just wondering, with the recent DoS problems and since I have 5 attack bots surfing my phpBB board, does everyone know that phpBB upgraded to 2.16 because of a recent highlight/DoS script going around?

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=301711
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011


Have the boards been updated on the servers?

Maybe it's a bad idea to have pre-installed software, since being able to install it might Darwin those that don't know to upgrade.

Edit: Make that 30 attack bots.

[Ron]

Last time there was a "highlighting" vulnerability, in addition to phpBB being slow to respond, what they came up with did nothing to protect my bandwidth.

I edited the search code to eliminate the use of highlighting in the links it returns.
I also implemented an .htaccess protection. Each time the bot came to the page, even with phpBB's new code an entire page was returned, which was a TON of bandwidth.

here's the .htaccess code I used:

Code:

RewriteCond %{QUERY_STRING} ^(.*)highlight=([^&]+)
RewriteCond %{REQUEST_URI} !^(.*)sorry(.*)$
RewriteRule .* http://forum.what.ever/sorry.html [L]

Of course, this requires you to write a lightweight text file to return, name it "sorry.html" and stick it in your forum's root dir.

I forget the exact numbers now, but at the time, given the ferocity of the attacks on my site (I've since asked for and had my forum removed from Google's index) I calculated that if it continued at the same pace, it consume about 30GB a month in bandwidth. Something like that.

[Ron]

Just to be clear... this .htaccess code was soley to protect loss of bandwidth; the phpBB forum should be and was quickly patched with the latest/greatest.

[Vin DSL]

...does everyone know that phpBB upgraded to 2.16 because of a recent highlight/DoS script going around?

Yep! I upgraded to 2.0.16 last night. This was an easy update...

[Ron]

I hate 2.0.15 -- I constantly used search by placing an asterisk in the author field, clicking on "1 day", "view as posts", and "all available".

I used to be able to see all the posts for the day in reverse chronological order, just to ensure I didn't miss seeing anything that might be interesting/important.

Why the heck did they do something like changing the allowable search parameters without making it an Admin option? *I* wasn't having a server load issue.

[Vin DSL]

I hate 2.0.15 -- I constantly used search by placing an asterisk in the author field, clicking on "1 day", "view as posts", and "all available"...

Hrm..

I've always used 3 asterisks and never had a problem...

[Vin DSL]

Heh, doesn't work any more...

[hobbes747]

I edited the search code to eliminate the use of highlighting in the links it returns.
I also implemented an .htaccess protection. Each time the bot came to the page, even with phpBB's new code an entire page was returned, which was a TON of bandwidth.

here's the .htaccess code I used:

Code:

RewriteCond %{QUERY_STRING} ^(.*)highlight=([^&]+)
RewriteCond %{REQUEST_URI} !^(.*)sorry(.*)$
RewriteRule .* http://forum.what.ever/sorry.html [L]

Awesome!

I hate 2.0.15 -- I constantly used search by placing an asterisk in the author field, clicking on "1 day", "view as posts", and "all available".

I used to be able to see all the posts for the day in reverse chronological order, just to ensure I didn't miss seeing anything that might be interesting/important.

Why the heck did they do something like changing the allowable search parameters without making it an Admin option? *I* wasn't having a server load issue.

In 3.0, which will be out er sometime, they're going to have active topics on the search page, which means you won't even have to work that hard to find the day's posts. It appears that the active topics will also appear at the top of each forum, but I haven't seen it yet.

http://area51.phpbb.com/phpBB/search...=active_topics

I just googled more about it and now I can't tell you if it is actually a phpBB exploit or AWStats. We turned AWStats completely off a while back, after that major exploit was released.

The hits I'm getting look like this

Code:

viewtopic.php?t=959&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(10

I just added this to my htaccess:

Code:

#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*)          [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
RewriteRule ^.*$ http://127.0.0.1 [L]

See, the highlight string is the same as the AWStats exploit.

Also, apropos to nothing, Firefox hates this new board. Also, why is this board so quiet? It used to be hopping.

[Ron]

Don't hold your breath for 2.2, er - I mean 3.0

Just plan on runnin yer 2.0 until you move to another BBS. Modify the heck out of it, because it will all be incompatible with 3.0 or any other board anyway.

3.0 is already more than 2 years late... don't bet the farm on it.

[Ron]

Because we missed you

[Vin DSL]

Hrm... I was looking at the phpBB changelog...

l.iii. Changes since 2.0.13
Hardened author and keyword search a bit to not allow very server intensive searches

I think I'll reverse this...

[Ron]

Good luck.... if you use the patch files it should be pretty easy to find, just looking in that. I gotta assume it's just in search.php the way they do things.... but I just don't have the time to do it and test it right now.

[Vin DSL]

Good luck.... if you use the patch files it should be pretty easy to find, just looking in that. I gotta assume it's just in search.php the way they do things.... but I just don't have the time to do it and test it right now.

Piece of cake! Took me 2 minutes, tops...

In search.php, I deleted:

PHP Code:

                if (preg_match('#^[\*%]+$#', trim($search_author)) || preg_match('#^[^\*]{1,2}$#', str_replace(array('*', '%'), '', trim($search_author))))
                {
                    $search_author = '';
                } 


PHP Code:

                if (preg_match('#^[\*%]+$#', trim($split_search[$i])) || preg_match('#^[^\*]{1,2}$#', str_replace(array('*', '%'), '', trim($split_search[$i]))))
                {
                    $split_search[$i] = '';
                    continue;
                } 


PHP Code:

            if (preg_match('#^[\*%]+$#', trim($search_author)) || preg_match('#^[^\*]{1,2}$#', str_replace(array('*', '%'), '', trim($search_author))))
            {
                $search_author = '';
            } 


I won't bother giving you the line numbers, since I'm sure my files are somewhat different than yours.

Anyway, took care of 'the problem'...

[Vin DSL]

Heh! I just went through this 'search thing' again -- updating to 2.0.18 then 2.0.19 -- all at the same time...

Gawd! 2.0.18 was a mess! 2.0.19 was a breeze, but the search feature has some issues now. Guess I'll have to delve into it...

Aren't computers fun?

[Gwaihir]

Not noticed anything myself after the upgrade. I never did make those limiting changes to the search "back then" though (I love "*, 1 day" way too much for that ). Want a copy of my current search.php in your mail?