Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Worm hitting PHPbb2 Forums
From: Chris Ess (securityfocuscae.tokimi.net)
Date: Tue Dec 21 2004 - 13:14:36 CST
> Funny enough, I got a message from a former employer about this worm
> yesterday- a box I had setup that had hardened php on it got hit hard by
> this worm. I must've misread the advisory as I was under the impression
> that the Hardened PHP patches protected PHP through canary values from
> this bug? Or does it use more than just unserialize() (i.e. realpath() )
This worm appears to have nothing to do with the bugs fixed in versions
4.3.10 and 5.0.3 of PHP.
The bug occurs in this line in viewtopic.php in phpBB2:
(Formatting changed to make it look pretty. It's line 1109 in phpBB2
$message = str_replace('\"', '"',
"preg_replace('#\b(" . $highlight_match . ")\b#i',
. $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' .
$message . '<'), 1, -1));
The 'e' flag on the regex pattern tells it to interpret the statement as
valid PHP code and run it. (Reference is:
The bug that is exploited works in such a way that it actually runs the
command that is passed through the highlight GET variable. I'm not 100%
sure how this works since I haven't had the chance to correlate the
strings recorded in apache's access log with the above code.
System Administrator / CDTT (Certified Duct Tape Technician)