Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
I was going through my server logs and saw some pretty scary stuff, one of my forums running phpbb2 has some SERIOUS flaws. A specially crafted URL was able to pull up all the information from the database on a specified user (in my case the admin account). I don't know exactly how it's even coded in such a way that it allows this, but basically it produces a print_r export of the specified user's database row.
I am looking at remaking all my forums into one single forum and I was looking into phpbb3, but I'm starting to wonder if I should perhaps look in other directions. It seems there's not that many choices these days in terms of free forum systems. There's phpbb, SMF (not a huge fan, I HATE their PM layout for one) and there's YABB. Anything else I may be missing?
Since I'll be modding this I can't be constantly updating it so I need something that is already secure out of the box.
Also can someone explain to me how this exploit even works, here is a sample URL, I changed some info because this is actually an exploit digging right into my database:
Somehow that URL pointed towards a phpbb forum will print out all the info for the admin account. I'm not sure where in the URL they specified the userID but I see lot of numbers and stuff guessing it has to do with that.
What exactly is all the square bracket stuff going on and the plus signs? I've never seen a URL like this before nor know how php would interpret or what it does with it.
I am looking at remaking all my forums into one single forum and I was looking into phpbb3, but I'm starting to wonder if I should perhaps look in other directions. It seems there's not that many choices these days in terms of free forum systems. There's phpbb, SMF (not a huge fan, I HATE their PM layout for one) and there's YABB. Anything else I may be missing?
Since I'll be modding this I can't be constantly updating it so I need something that is already secure out of the box.
Also can someone explain to me how this exploit even works, here is a sample URL, I changed some info because this is actually an exploit digging right into my database:
Code:
http://www.domain.com/forum/profile.php?mode=register&agreed=true+[PLM=0][R]+GET+http://www.domain.com/forum/profile.php?mode=register&agreed=true+[0,22775,73872]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24840,72900]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24786,73546]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24790,73924]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24787,71358]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24792,68993]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24810,71620]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24780,72478]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24780,73294]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24794,70450]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24788,72995]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24798,74102]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24770,74439]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,25043,72787]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24778,73611]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24784,74963]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24819,71517]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24783,73370]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24788,73592]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24794,72943]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,25024,72774]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24798,73530]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24791,69749]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24803,73392]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,0,27325]+-%3E+[N]+GET+http://www.domain.com/forum/viewtopic.php?t=6478+[12329,0,42900]
Somehow that URL pointed towards a phpbb forum will print out all the info for the admin account. I'm not sure where in the URL they specified the userID but I see lot of numbers and stuff guessing it has to do with that.
What exactly is all the square bracket stuff going on and the plus signs? I've never seen a URL like this before nor know how php would interpret or what it does with it.