Researcher to Find Vulnerability in phpBB3

Attacker with obtained the rights of the administrator of one of the forums can seize complete control over the entire server
22 November 2018   172

Security specialists from RIPS Technologies have published information about the vulnerability they found in the phpBB3. The bug allows an attacker, having obtained the rights of the administrator of one of the forums, to execute his own code and to seize complete control over the entire server.

Forum administrators can edit the downloaded images and specify the absolute path to the system using the ImageMagic editor. To use the vulnerability, the hacker must upload to the server a file with his own code and know the exact path to it. When attacking, the Phar deserialization vulnerability is used, based on the use of .phar PHP archives. It includes the following steps:

  • Upload file. First, the attacker needs to upload a file with malicious code to the server. This can be done even with the rights of an ordinary user, since the forums allow uploading attachments to posts.
  • Shift extension. The engine checks the file extension, and does not allow downloading data with extensions other than the ones allowed. However, for a PHP archive file, you can change the extension to .jpeg or any other from the white list, which will not prevent its launch.
  • Extract the exact file path. However, another difficulty arises. All uploaded phpBB3 files are assigned random names, so the exact path to the code remains unknown to the hacker. Hacker can get around this by activating the download file in parts. The server receives the fragmented code and collects it in a temporary file, the name of which is generated from the name of the received file, its extension and a special parameter - plupload_salt - unique for each server. The value of the plupload_salt hacker can obtaine from the server backup, administrator rights needed. In order for the engine not to delete the temporary file, hacker can declare sending more packages than actually, forcing the system to expect the missing ones.

The information is published on the company's website on November 20, 2018, a month and a half after the actual detection of the vulnerability. During this time, the developers of the engine managed to release a patch 3.2.4, eliminating the possibility of an attack. Thus, for servers that have the latest software version installed, the danger is eliminated.

At the same time, RIPS Technologies experts note that Phar deserialization is a new technique, and the problem may affect many similar systems.

RIPS Technologies regularly reports vulnerabilities found in various CMS. In early November 2018, the company's specialists found serious bugs in the WooCommerce plugin for WordPress.

PhpStorm Got New Version

Popular PHP IDE received version 2018.3 with a lot of new features and updates
23 November 2018   310

JetBrains, specializing in the creation of IDE, announced the release of the final version of PhpStorm 2018.3. This cross-platform product is developed on the basis of the IntelliJ IDEA platform and is intended for development in the PHP scripting language.

The updated development environment works with PHP 7.3. Developers have improved support for DQL (Doctrine Query Language), a query language focused on the project's object model. DQL compiles requests for receiving or modifying data using user-created class names and fields. The IDE version for early access simply highlighted the lines of the code with the requests; in the final, full navigation and editing was implemented.

For PHPDoc, the concept of intersection (Intersection Types) was added, allowing variables to belong to several types at the same time. Improved some refactoring tools. HTTP requests can now be generated using run. The debugger was provided with the ability to search for variables.

When working with PHPUnit, you can automatically generate the setUp and tearDown methods used when running tests. This solution will speed up the work with the code.

JetBrains specialists have expanded the possibilities for working with the GitHub repositories. In PhpStorm 2018.3 a tool has been added for the management of pull request that allows you to view and sort them. Fixed IDE work with submodules: now when cloning a project, they are saved correctly.

The new development environment contains tools for automatically correcting the code and bringing it to industry standards, such as PSR-2. For this, the developers have included the PHP CS Fixer utility in PhpStorm 2018.3. Settings even allow you to define your own standards for the code.

Improved IDE interface itself. Implemented new search features, added new color schemes. Todo, an operator that generates a task list, like the example of similar tools in JavaScript, TypeScript, SQL, CSS, and HTML can now include several lines.

To work with databases, the developers reworked the code supporting these modules and included NoSQL DBMS Apache Cassandra and relational PostgreSQL into the system.

The previous version of IDE was released in July 2018. Then the developers added custom postfix fill patterns and reworked the structured search and replace.

Get more info at official blog.