Loading ...
Sorry, an error occurred while loading the content.
 

Is this why kiteforum got hacked? [Fwd: [Bulk] US-CERT Technical Cyber Security Alert TA04-356A -- Exploitation of phpBB highlight parameter vulnerability]

Expand Messages
  • Hung Vu
    Toby and Tobin, It s probably best to upgrade to phpBB verison 2.0.11 to prevent further exploitation. Hung. ... Subject: [Bulk] US-CERT Technical Cyber
    Message 1 of 1 , Dec 21, 2004
      Toby and Tobin,

      It's probably best to upgrade to phpBB verison 2.0.11 to prevent further
      exploitation.

      Hung.

      -------- Original Message --------
      Subject: [Bulk] US-CERT Technical Cyber Security Alert TA04-356A --
      Exploitation of phpBB highlight parameter vulnerability
      Date: Tue, 21 Dec 2004 18:57:31 -0500
      From: CERT Advisory <cert-advisory@...>
      Organization: CERT(R) Coordination Center - +1 412-268-7090
      To: cert-advisory@...



      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      Technical Cyber Security Alert TA04-356A
      Exploitation of phpBB highlight parameter vulnerability

      Original release date: December 21, 2004
      Last revised: --
      Source: US-CERT

      Systems Affected

      phpBB versions 2.0.10 and prior

      Overview

      The software phpBB contains an input validation problem in how it
      processes a parameter contained in URLs. An intruder can deface a
      phpBB website, execute arbitrary commands, or gain administrative
      privileges on a compromised bulletin board.

      I. Description

      phpBB is an open-source bulletin board application. It fails to
      properly perform an urldecode() on the "highlight" parameter supplied
      to viewtopic.php. This may allow a remote attacker to execute
      arbitrary commands on a vulnerable server.

      According to reports, this vulnerability is being actively exploited
      by the Santy.A worm. The worm appears to propogate by searching for
      the keyword "viewtopic.php" in order to find vulnerable sites.

      The worm writes itself to a file named "m1ho2of" on the compromised
      system. It then overwrites files ending with .htm, .php, .asp. shtm,
      .jsp, and .phtm replacing them with HTML content that defaces the web
      page. The worm then tries to use PERL to execute itself on the
      compromised system and propogate further.
      US-CERT is tracking this issue as:

      VU#497400 - phpBB viewtopic.php fails to properly sanitize input
      passed to the "highlight" parameter

      II. Impact

      A remote attacker may be able to deface a phpBB website and execute
      arbitrary commands on a compromised bulletin board.

      III. Solution

      Upgrade phpBB

      Upgrade to phpBB verison 2.0.11 to prevent exploitation.

      Appendix A. References

      * US-CERT Vulnerability Note VU#497400 -
      <http://www.kb.cert.org/vuls/id/497400>
      * phpBB Downloads - < http://www.phpbb.com/downloads.php>
      * phpBB Announcement -
      <http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636>
      * Symantec Security Response - Perl.Santy -
      <http://securityresponse.symantec.com/avcenter/venc/data/perl.santy
      .html>
      * McAfee - Computer Virus Software and Internet Security -
      <http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=
      130471>
      _________________________________________________________________

      This vulnerability was reported by the phpBB Development Team.
      _________________________________________________________________

      Feedback can be directed to the authors: Jeffrey Gennari and
      Jason Rafail
      _________________________________________________________________

      This document is available from:

      <http://www.us-cert.gov/cas/techalerts/TA04-356A.html>

      _________________________________________________________________

      Copyright 2004 Carnegie Mellon University.

      Terms of use: <http://www.us-cert.gov/legal.html>
      _________________________________________________________________

      Revision History

      Dec 21, 2004: Initial release

      Last updated December 21, 2004
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.2.1 (GNU/Linux)

      iQEVAwUBQci1ihhoSezw4YfQAQLarQf/cyzsvhFzCnqDyzRRqccGx8yG+AUMLQnG
      C+eZ3oyfEntqJkMh4ApNb1er8F+7BkHNnhzvPeifqDQPMGwpjLrBnyPr4vSneG3v
      JBregSqACGHzR7/TDeDJ94kiBFPty77AS5r6eqsLe0ueaL2kA149lEEcbGjPGd+q
      P0my0Jxkal0DPOwGuPyFIcjdGBAYHXqyCbI0hl6DqGGj/vSRkuhjt5EY0K7ShOdV
      JaSmRWgkbM0vXtKj+sWCSOLFoDschFzlW+Egke17xf3bIZUwvx5uNsw8AXZwCiaa
      CJNJcL+sI8JvXEQqC5xiAkYgUVDA+WzRGtKoVfkEJBpv8PS0MyhX+Q==
      =ZLLn
      -----END PGP SIGNATURE-----




      [Non-text portions of this message have been removed]
    Your message has been successfully submitted and would be delivered to recipients shortly.