Researcher to Find Vulnerability in phpBB3

Attacker with obtained the rights of the administrator of one of the forums can seize complete control over the entire server
22 November 2018   1001

Security specialists from RIPS Technologies have published information about the vulnerability they found in the phpBB3. The bug allows an attacker, having obtained the rights of the administrator of one of the forums, to execute his own code and to seize complete control over the entire server.

Forum administrators can edit the downloaded images and specify the absolute path to the system using the ImageMagic editor. To use the vulnerability, the hacker must upload to the server a file with his own code and know the exact path to it. When attacking, the Phar deserialization vulnerability is used, based on the use of .phar PHP archives. It includes the following steps:

  • Upload file. First, the attacker needs to upload a file with malicious code to the server. This can be done even with the rights of an ordinary user, since the forums allow uploading attachments to posts.
  • Shift extension. The engine checks the file extension, and does not allow downloading data with extensions other than the ones allowed. However, for a PHP archive file, you can change the extension to .jpeg or any other from the white list, which will not prevent its launch.
  • Extract the exact file path. However, another difficulty arises. All uploaded phpBB3 files are assigned random names, so the exact path to the code remains unknown to the hacker. Hacker can get around this by activating the download file in parts. The server receives the fragmented code and collects it in a temporary file, the name of which is generated from the name of the received file, its extension and a special parameter - plupload_salt - unique for each server. The value of the plupload_salt hacker can obtaine from the server backup, administrator rights needed. In order for the engine not to delete the temporary file, hacker can declare sending more packages than actually, forcing the system to expect the missing ones.

The information is published on the company's website on November 20, 2018, a month and a half after the actual detection of the vulnerability. During this time, the developers of the engine managed to release a patch 3.2.4, eliminating the possibility of an attack. Thus, for servers that have the latest software version installed, the danger is eliminated.

At the same time, RIPS Technologies experts note that Phar deserialization is a new technique, and the problem may affect many similar systems.

RIPS Technologies regularly reports vulnerabilities found in various CMS. In early November 2018, the company's specialists found serious bugs in the WooCommerce plugin for WordPress.

WordPress Has Many Vulnerabilities, - RiskSense

According to the latest study on vulnerabilities in web frameworks and platforms, WordPress & Apache Struts have 57% of all vulnerabilities
19 March 2020   176

RiskSense published the results of an analysis of 1622 vulnerabilities in frameworks and platforms for the web, identified from 2010 to November 2019. Some conclusions:

  • WordPress and Apache Struts account for 57% of all vulnerabilities for which exploits are prepared for attacks. Next up are Drupal, Ruby on Rails and Laravel. The list of platforms with exploitable vulnerabilities also lists Node.js and Django, but they found one vulnerability with an exploit of 56 and 66 existing vulnerabilities. Of the most common vulnerabilities in WordPress, cross-site scripting is called, and in Apache Struts, problems with checking input data.
  • Projects in PHP and Java are leading in the number of vulnerabilities with existing exploits.
  • In 2019, the total number of vulnerabilities decreased, but the share of exploit vulnerabilities increased from 3.9% to 8.6%, mainly due to the increase in the number of exploits for Ruby on Rails, WordPress, and Java.
  • Cross-site scripting (XSS) is the most common vulnerability in a sample over 10 years. Vulnerabilities caused by incorrect verification of input data (24% of all vulnerabilities with exploits) are leading in the sample over 5 years, and XSS fell to 5th place.
  • Vulnerabilities that allow the substitution of SQL, code, and commands are relatively rare, but they are leading in terms of exploit availability - exploits were prepared for more than 50% of such vulnerabilities (60% for command substitution and 39% for code substitution).

Get more at the official press release.