phpBB-TweakS
The easiest way to 'tweak' your phpBB!
  
Advanced Search
    
 
Home Downloads FAQ Register FAQ Memberlist Usergroups Ranks
  Log in to check your private messages Log in  
   
 

Please help us to develop!

 
It appears you are using a browser that is not based on Internet Explorer, this means you are not viewing the web as good as you should be. Other browsers might try to immitate Internet Explorer, but none can parse the web as it should like Internet Explorer can. So view the web as it was meant to be with Avant Browser!
         

phpBB-TweakS Forum Index Feedback phpBB Security Bug-since Aug 2005 unpatched-now with exploit
Display posts from previous:   
Half Thread Topic  Fully Thread Topic  Download Topic
      All times are GMT - 5 Hours  
Post new topic  Reply to topic

Mon Feb 06, 2006 10:35 pm
Author Message
Schattenjaeger
New TweakeR
New TweakeR


Joined: 18 Aug 2005
Posts: 8
Words Posted: 1,033
Average Post: 129.13
Post subject: phpBB Security Bug-since Aug 2005 unpatched-now with exploit Reply with quote
Look at http://phpbb-tweaks.com/topics.html-t-8074

great work.. this bug is still unpatched, in phpBB Security 1.0.3 you will find:
Code:

   function phpBBSecurity_IP()
      {
      if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown'))
         return getenv('HTTP_CLIENT_IP');
      elseif (getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown'))
         return getenv('HTTP_X_FORWARDED_FOR');
      elseif (getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown'))
         return getenv('REMOTE_ADDR');
      elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown'))
         return $_SERVER['REMOTE_ADDR'];
      else
         return 'unknown';       
      }


This silly piece of code is from http://de2.php.net/manual/de/function.getenv.php#35496 and is totally useless and vulnurable in a internet environment. You don't know much about the HTTP-protocoll, don't you? You trust a HTTP-Header but you don't know that EVERY USER can set this header? That's dangerous.

I'm able to attack a site without getting banned and i've a know members/admins IP-adresses i've able to ban all the members/admins. this is a great "feature"!

Try it (on Linux/Unix-Systems):
Content Removed.

Of course you can replace 127.0.0.1 with any IP adress but don't use your current ip-address Wink

You want to fix it? Yeah... replace the whole function with this secure piece of code:
Code:

function phpBBSecurity_IP()
{
return $_SERVER['REMOTE_ADDR'];
}


Have a nice day

BTW: What should the "return 'unknown';" do in this code? .. hey a http-connection is a tcp/ip-connection and is connection-oriented! you ALWAYS have a real-ip-address.. otherwise the whole internet whouldn't work

PS: I know, you want to protect the connections over a proxy but keep in mind that this isn't possible and this is not your problem!
Post #1
      Back To Top  

Tue Feb 07, 2006 1:24 am
Author Message
volf
100 Club
100 Club


Joined: 07 Jan 2005
Posts: 122
Words Posted: 12,733
Average Post: 104.37
Location: Finland
Post subject: Reply with quote
If this is indeed true then why post it in public instead of just pming austin?
Post #2
      Back To Top  

Tue Feb 07, 2006 7:59 am
Author Message
aUsTiN
Webmaster
Webmaster


Usa Georgia

Joined: 05 Jan 2005
Posts: 3684
Words Posted: 144,671
Average Post: 39.27
Location: USA
Post subject: Reply with quote
I really dont see a security risk in there, all i see is a way for people to not get banned, which would be annoying. I do remember that old post, just forgot about it, i am rather busy & do forget things.

"....You don't know much about the HTTP-protocoll, don't you? You trust a HTTP-Header but you don't know that EVERY USER can set this header? ...."

So i get busy, forget things, & all of a sudden im an idiot. LoL, well, here it is simply put, dont use it. It doesn't bother me either way. Its gonna catch the exploit regardless of a fake IP or not. It just wont ban the right IP.
Post #3
      Back To Top  

Tue Feb 07, 2006 8:13 am
Author Message
aUsTiN
Webmaster
Webmaster


Usa Georgia

Joined: 05 Jan 2005
Posts: 3684
Words Posted: 144,671
Average Post: 39.27
Location: USA
Post subject: Reply with quote
volf wrote:
If this is indeed true then why post it in public instead of just pming austin?


I wont give my opinion on why people feel the need to do that. None the less, i removed the content of the post that matters & posted a patch to remove the HTTP section of the function.
Post #4
      Back To Top  

Wed Feb 08, 2006 5:06 pm
Author Message
Cool sippenhaft Cool
Site Supporter
Site Supporter


Joined: 13 Mar 2005
Posts: 210
Words Posted: 23,478
Average Post: 111.80
Location: nj
Post subject: Reply with quote
Quote:
posted a patch to remove the HTTP section of the function.


Where did you post a patch? Rolling Eyes Embarassed Sorry just cant find it Question
Post #5
      Back To Top  

Wed Feb 08, 2006 5:06 pm
Author Message
Cool sippenhaft Cool
Site Supporter
Site Supporter


Joined: 13 Mar 2005
Posts: 210
Words Posted: 23,478
Average Post: 111.80
Location: nj
Post subject: Reply with quote
Quote:
posted a patch to remove the HTTP section of the function.


Where did you post a patch? Rolling Eyes Embarassed Sorry just cant find it Question
Post #6
      Back To Top  

Wed Feb 08, 2006 5:08 pm
Author Message
aUsTiN
Webmaster
Webmaster


Usa Georgia

Joined: 05 Jan 2005
Posts: 3684
Words Posted: 144,671
Average Post: 39.27
Location: USA
Post subject: Reply with quote
http://www.phpbb-tweaks.com/forums.html-f-124
Post #7
      Back To Top  

Wed Feb 08, 2006 5:12 pm
Author Message
Cool sippenhaft Cool
Site Supporter
Site Supporter


Joined: 13 Mar 2005
Posts: 210
Words Posted: 23,478
Average Post: 111.80
Location: nj
Post subject: Reply with quote
Embarassed Thanks...should have scrolled alittle more Embarassed
Post #8
      Back To Top  

Wed Feb 08, 2006 5:14 pm
Author Message
aUsTiN
Webmaster
Webmaster


Usa Georgia

Joined: 05 Jan 2005
Posts: 3684
Words Posted: 144,671
Average Post: 39.27
Location: USA
Post subject: Reply with quote
np
Post #9
      Back To Top  

 
         

Post new topic  Reply to topic

phpBB-TweakS Forum Index Feedback phpBB Security Bug-since Aug 2005 unpatched-now with exploit
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

      Back To Top  

Page 1 of 1
Jump to:  
 
Protected by phpBB Security © phpBB-TweakS
phpBB Security Has Blocked 3,237 Exploit Attempts.

· Archive · Sitemap: Index · Sitemap: Forums · Sitemap: Topics · Sitemap: Posts ·

:: [ Load Time: 2.9 Seconds ] :: [ 30 Queries ] :: [ 3,770 Page(s) Viewed Today ] ::
:: [ Todays Queries: 105,698 ] :: [ Highest Load: 1,396,429 Queries On May. 08, 2007 ] ::
:: [ SQL Load: 61% Time: 1.8 ] :: [ PHP Load: 39% Time: 1.1 ] :: [ Debug: On ] :: [ GZIP: Enabled ] ::
:: The server last rebooted 80 days, 2 hours, 42 minutes, 15 seconds ago. ::
The phpBB[Network]!
       


This page has been viewed 4,925,242 times, last viewed: Fri Sep 05, 2008 11:13 am.
Powered by phpBB 2.0.* © 2001, 2002 phpBB Group
Avalanche style by What Is Real © 2004