more phpbb patches

[JensJohansson]

More holes, I patched the ones pertaining to 2.0.11 and 2.0.12. If I read it right, the most serious exploit was unauthorized Administrator access. I doubt anyone got in but if i have time I might grep the logs later tonight just in case. If that was the case I will update.

Root hack, SQL injection, error messages, "premature end of script headers", locusts, nuclear war, Britney Spears videos or any other anomaly => email me, because I never really look to check PM's or any other web based poop.

You think someone is being annoying or mean => have a cup of mint tea and send me a PM ;)

BTW a while back I gave mod rights to a few friends (nobody you'd know) and they have been instructed to delete any really offensive messages (eg Nazi, animal porn, flames, whatever they feel like deleting really)

[fifthtea_sausage]

Cursed day when PHP was released!

[JensJohansson]

Cursed day when PHP was released!

Yeah. Well nice idea, but it's so severely overextended from the original aims. This time -- well there is no 'eq' operator, just '==' for every data type, oh what a free-spirited idea! Less strongly typed than a BASIC interpreter from 1980. So.... I suppose with PHP4 they realized.. oh, maybe we need a string compare operator too! What to do? Let's add "===", whatever the fuck that's supposed to look like. It still has nothing whatsoever to do with data type, it just means "really really really equal" instead of "equal". Well, turns out the coders of phpBB typed '==' when they meant '===', in this case to compare the cookie which holds your login information. It's very easy to be sloppy when the language encourages you to be sloppy.

"Taint checking? Who needs it, that's for adults! Declare variables? Or even explicitly specify which POST variables to use from the environment? Boooring, who needs the typing! PHP is vibrant and really 37337, just use unitialized variables as you go, nobody will ever think of inserting their own values before the script is run....."

And did I mention: no fucking debugger?

And again: no nifty taint checking with 'perl -T' ??

Blech..



BTW and OTOH I scrutinized the logs, and according to them nobody managed to get in this time either

[:)]

....... uh huh....

[Baluba]

I would be happy if you just installed the Norwegian language pack...he he...

[browneyedgirl]

At times like this I am so glad I have a primative WebTV. Seriously.
I better explain----it keeps me on the straight&narrow. If any mischief is even attempted, it is traced sooooo easily---so, why bother?

[iron_thunder]

Jens, I've suddenly realized that I'm not fluent in English.


Sigh...

[MaFiaBoY]

Jens, I've suddenly realized that I'm not fluent in English.

well, the problem is not about being fluend at english but about "talking nerd 2.0" as our dear smiley-faced girl says in an other topic.

[:)]

Jens, I've suddenly realized that I'm not fluent in English.


Sigh...

Hey! No worries!! I'm AMERICAN and Jens speaks better english than me! He's just a big nerd with lots of vocabulary!

[MaFiaBoY]

Jens, I've suddenly realized that I'm not fluent in English.


Sigh...

Hey! No worries!! I'm AMERICAN and Jens speaks better english than me! He's just a big nerd with lots of vocabulary!

Absolutely right, so when you're also a nerd, even if you're not fluent in english, you understand very well.

[Beast_Pete]

(1443+13)

Root hack, SQL injection, error messages, "premature end of script headers", locusts, nuclear war, Britney Spears videos or any other anomaly => email me, because I never really look to check PM's or any other web based poop.

Hmm, if I knew your e-mail address, I would send you an interesting stuff, that I don't want to publish (BTW, others might have seen it too, but I don't think, it would be a good idea to show it in this topic...).

[MaFiaBoY]

(1443+13)

Root hack, SQL injection, error messages, "premature end of script headers", locusts, nuclear war, Britney Spears videos or any other anomaly => email me, because I never really look to check PM's or any other web based poop.

Hmm, if I knew your e-mail address, I would send you an interesting stuff, that I don't want to publish (BTW, others might have seen it too, but I don't think, it would be a good idea to show it in this topic...).

webmaster at jens dot org

[:)]

jens@panix.com

I think he uses this one.
Not really sure though. It's the one he's had posted publicly the longest. Then again, what the fuck do I know? Maybe the only way to communicate with him is telepathicaly....

[Paola]

Excuse me, but if I say phpbb to you is one of the predesigned forums simpler to handle, you I say it because I also work it although at the moment I am being myself blocked by the servant hosting (to buy one new buaa!!! ) in order to be able to raise the programs, if I say to wiz Web forums to you if it is difficult to handle it (at least in my humble opinion). If it is it concerned to the language because it would be called on to you to watch in the page that you lowered the programs of phpbb (if I am not mistaken in the official) because there are many pages that have programs of phpbb.


(that I think)

[MaFiaBoY]

Cursed day when PHP was released!

Excuse me, but if I say phpbb to you is one of the predesigned forums simpler to handle, you I say it because I also work it although and the moment I am being myself blocked by the servant hosting (to buy one new buaa) in order to be able to raise the programs, if I say to wiz Web forums to you if it is difficult to handle it (at least in my humble opinion). If it is it concerned to the language because it would be called on to you to watch in the pagina that you lowered the programs of phpbb (if I am not mistaken in the official) because there are many paginas that have programs of phpbb.

(that I think)

I thin he's not bashin phpBB but the whole PHP language which is indeed a bit anarchic.

I like your avatar btw, Rei rules

[Paola]

ooohh! I already see the point that they mean, because if phpbb puts so many problems to them because it watches http://www.webwizforums.com/




Ahh! and it seems to me well that you like my to avatar, thanks

[JensJohansson]

ooohh! I already see the point that they mean, because if phpbb puts so many problems to them because it watches http://www.webwizforums.com/
Ahh! and it seems to me well that you like my to avatar, thanks

Well phpbb seems to have a new exploit every week.. but that webwiz thing... dear god... that's ASP! if I had to deal with that i would probably just have to kill myself either that or my brain would jsut explode all by itself.

I am at this moment getting ready to move heptagon.se from IIS to a Linux/Apache machine in fact.. maybe even today. Whenever it will be it won't be a minute too soon!!!!! IIS!! Bleeechccccchh!! Puke!

[NeonVomit]

While you're at it, update your site

[fifthtea_sausage]

So Jens, in PHP you put "quote" marks around the int's?
Because in C#, you would do:

string jens = "Hello I'm Jens";
int jens = 22;

The quote marks define the data type.

[Moony]

On a related note, someone obviously forgot to patch the Metallica forum.

www.roadrunnerrecords.com/blabbermouth. ... emID=33632

[Paola]

On a related note, someone obviously forgot to patch the Metallica forum.

Ohhh! yeah! man you are all the right

[Taim]

So Jens, in PHP you put "quote" marks around the int's?
Because in C#, you would do:

string jens = "Hello I'm Jens";
int jens = 22;

The quote marks define the data type.

No you don't. You don't do it in any normal programing language.
The point is, that you don't really have data types in php. You can type
string jens = "Hello I'm Jens";
and then:
jens = 22;
and there will be no compiler error (well, there actualy is no compiler, but interpreter).
However to can force a variable to hold an eg int value,
$intValue = intval($stringValue);
So whenever $stringValue = "shit"; or anything that is not a decimal value function will return 0. As far as I see now this should solve most of the problems, yet I'm not sure I may have read somewhere it's not enough.
Not doing this can simply make passible to modify your sql queries (when eg "WHERE user=1" is changed to "WHERE user=1 OR 1=1")

The problem in phpBB is probably a lack of a good data validation system. So the user can submit a specially formed data in POST or GET to omit the baundries. But honestly, I didn't read much about the nature of the recent bugs and exploits in phpBB.

PHP is so easy to learn and use, that many people (eg this happend to me), start writting sites, just knowing the basics of php programing and no knowladge of application develompent and security issues.

[JensJohansson]

On a related note, someone obviously forgot to patch the Metallica forum.

http://www.blabbermouth.net/metallica_hacked.jpg

Yup, that would be about what you could do if you were escalated to what phpBB calls "Administrator level". Also you could download and read everyone's PM's, and get at their password hashes. And of course, just erase a bunch of stuff if you wanted.

It seems I patched this POS just in time..

But as a matter of fact, it seems phpBB has some of the most destructive stuff in its own directory (admin/). I just now added .htaccess/.htpasswd protection for that directory as well, it certainly can't hurt. Trusting phpBB not to escalate someone's privileges "because they'd like them" seems a bit foolish.

[NordicStorm]

The point is, that you don't really have data types in php.

Well, there are data types, it's just that PHP is dynamically typed. Which means writing
$jens = 22;
$jens = "Hey";
is perfectly legal. Because PHP is weakly typed, the parser also considers $jens = "Hey"/22; to be perfectly valid, if nonsensical...

[JensJohansson]

The point is, that you don't really have data types in php.

Well, there are data types, it's just that PHP is dynamically typed. Which means writing
$jens = 22;
$jens = "Hey";
is perfectly legal. Because PHP is weakly typed, the parser also considers $jens = "Hey"/22; to be perfectly valid, if nonsensical...

This is true with Perl as well. But what they did think about very early in Perl was that the comparison operators can cause confusion. Eg, even if

"22" == 22 is 'true'

this type of flawed thinking is discouraged because the 'eq' operator has always been there since time immemorial, but besides -- who ever uses it when it's so easy to type =~ /22/ :) matter of fact that's one more reason i hate php. having to write preg_match("/bla bla/" shit blä kuk

[Taim]

I'm not a php hater (at least not yet), but what makes me mad about it is completly no coherency in terms of function naming.
One time you have
strpos() and then you str_replace
and similar.