Found security expliot in port phpBB 2.0.8 FreeBSD4.10

Brett Glass brett at lariat.org
Mon Dec 27 18:31:24 PST 2004


The "PHPInclude" worm seeks out sites which are running PHP and tries to
break into them by injecting unexpected data into variables. If those
variables are fed without proper input checking to the include(),
require(), or urldecode() functions within the script, or (worse) treated 
as UNIX commands, it is possible to retrieve the contents of sensitive 
files and/or execute arbitrary commands on the server. The same old
lesson that seasoned programmers learn just before they get kicked
upstairs into management, and the new young ones don't know yet: Never
trust potentially hostile input. And always use "tainting" or a similar
mechanism if it's available. (What? Don't know about "tainting?" You must
be a C programmer.) ;-)

Also see:

http://www.pcworld.com/news/article/0,aid,119051,00.asp

Interestingly, the worm is written in Perl, not PHP. I know for a fact that
Santy.A, the version that attacked phpBB exclusively, was written in Perl, 
because I've captured the source in a honeypot. If it's not exactly the same 
code as that displayed at 

http://www.k-otik.com/exploits/20041222.sanityworm.pl.php

what I caught is darned similar. The more generalized script is at

http://www.k-otik.com/exploits/20041225.PhpIncludeWorm.php

--Brett

At 06:28 PM 12/27/2004, Jerry Bell wrote:
  
>The update for phpbb came out a while ago, and it looks like the ports
>were updated on 11/25/2004.  Have you tried updating the ports?  I think
>this is already addressed.
>
>On a side note, I'm suprised you didn't get hit by the worm (unless it
>happened before the worm came out).  There is a new worm out now that
>attacks some weak php programming, though it's not very widespread.  See
>http://www.syslog.org/Article10.phtml for a little more detail.
>
>I don't know if it's a worm or not, but I'm seeing people trying to attack
>my site pretty frequently lately.
>
>Best regards & happy holidays,
>
>Jerry
>http://www.syslog.org



More information about the freebsd-security mailing list