1 Topic by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Topic: PHP Vulnerabilities

Anybody seen this:
http://developers.slashdot.org/develope … mp;tid=172

Seems to list a lot of bulletin board systems.

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

  • Frank H
  • Former PunBB Developer
  • Offline
  • Registered: 2003-03-16
  • Posts: 1,423

Re: PHP Vulnerabilities

It is necessary to understand that these strings can exploit a
   bunch of popular PHP applications remotely because they pass f.e.
   cookie content to unserialize().

luckily I'm using explode/implode/substr for most of my cookie stuff wink

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: PHP Vulnerabilities

well PunBB uses unserialize() so it could be at risk...

FluxBB.
Connorhd.co.uk.

Connorhd's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PHP Vulnerabilities

Not a lot I can do about that other than urge people to upgrade their PHP environments. I do however believe that the unserialize thing is quite difficult to exploit. Especially since they didn't release a proof of concept (which is of course a good thing!).

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • Registered: 2004-12-17
  • Posts: 40

Re: PHP Vulnerabilities

oh ,come accross.

WELCOME TOhttp://bbs.dotfly.net/id.php?mmcbbs=w2004

lengfeng's Website

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: PHP Vulnerabilities

my host is updating today big_smile

FluxBB.
Connorhd.co.uk.

Connorhd's Website

7 Reply by Raybo

  • Raybo
  • Senior Member
  • Offline
  • Registered: 2004-04-25
  • Posts: 144

Re: PHP Vulnerabilities

Just a few quick words ...

I guess I should consider myself lucky.  My ISP seemed to think I was lazy, or just plain stoopid.

I went *years* without a single hack attempt on our server.  In the span of one month, we got hacked by the same $%^%$#@!! kiddie licker 4 times.  I wound up getting a good friend of mine to help me update our forums, due to problems I had of my own trying to update it.  Thanks to him, I should be ok now. :>)

In a word, I cannot *wait* to get away from phpbb.  When we update our website, it will be with a shiney new version of PunBB.

Kudos Rickard and Paul.

8 Reply by stewy

  • From: St. John's, Newfoundland
  • Registered: 2004-05-05
  • Posts: 42

Re: PHP Vulnerabilities

punbb = great

phpbb =  not so great

stewy's Website

9 Reply by Raybo

  • Raybo
  • Senior Member
  • Offline
  • Registered: 2004-04-25
  • Posts: 144

Re: PHP Vulnerabilities

punbb = great

phpbb = sux

10 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: PHP Vulnerabilities

This from ISC:

Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

11 Reply by Raybo

  • Raybo
  • Senior Member
  • Offline
  • Registered: 2004-04-25
  • Posts: 144

Re: PHP Vulnerabilities

phpbb who?  :>)

12 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: PHP Vulnerabilities

If anyone is running Debian Sarge, PHP 4.3.10 was just released.

I can now breath a sigh of relief :)

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website