Archive for July, 2010

16
Jul
10

The first rule of phpBB security holes is that you do not talk about phpbb security holes.

I used to have a phpbb3-powered bulletin board. It ran pretty well, apart from always having to delete spam users who were actually Russian robots. A while back they released a huge security update. There’s usually an “easy” upgrade method and a “full” upgrade method. My board is pretty much bone stock, but for some reason “easy” never works. So I spent all night crawling through lines of code in the php and in my SQL database looking for the commands the updater was trying to run and figuring out why they weren’t working, and then manually executing the commands myself. This took hours, but I finally got the board updated to 3.0.6. Almost immediately thereafter, the board was hacked, probably by a robot looking for boards running 3.0.6, and probably through some exploit that I had just exposed our board to by doing this laborious update. Now, every time you try to access our forum, or post something, you get redirected to a hot celebs site in India, and then firefox shuts down the page and flashes a huge red warning about an “attack site” and all you can do is click “get me out of here!” Awesome. So glad I ran that security update.
So when this happened several months ago, I did the only sensible thing that I had time to do. I logged in, disabled the board in the admin control panel, and then changed the permissions on that folder on my server to whatever the Unix equivalent of “everyone in the world can piss off” is. Alright, so the board was broken but at least things couldn’t get any worse. I put it on the back burner until I had time to troubleshoot.
Recently I tried to see if I could resurrect the board. Turns out, I can’t. I deleted every file in the phpbb3 folder and then reinstalled the board from a clean download of the latest version, and yet still every time you try to post to the forum you get redirected to some celebs site in India. Fan-frickin’-tastic.
I did some Googling and found one other user experiencing the exact same problem with the exact same redirect. Joyously I clicked on the forum hoping to find a solution. I was crushed to find that the user’s post had been slapped down with a standard “file a bug” reply and didn’t offer any actual information on how to go about repairing the damage. Worse, the information that they asked for in the bug report is info that I just don’t have access to. Things like server access logs and the original board files that I deleted before I went to the forum looking for help. I couldn’t reply to that thread because it was locked, so I started a new thread and said “Hey, I have the same problem, I don’t have what they’re asking for here, but has anyone else been able to repair their board after this type of attack?” Within a few minutes, my topic had the same canned “file a bug” response and was locked. LOCKED! I’ve seen a lot of conversations go way off topic for page after page but I rarely see forums being locked, especially when people are being civil and playing nice.
Apparently, phpBB doesn’t want anyone knowing about the security holes that their current board versions have, and they don’t want their users knowing how to fix these problems on their own. Nor do they even want users talking with each other about how to fix the problem. I found it kind of odd that a forum software company would be so bent on squashing the power of community.
Actually, I’m pretty pissed about it. So I blogged. Yeah.

Update: I was wrrrrr… wrooooorrrr… hang on a second…  I was wurrrurrrrr… dammit! I provided information earlier based on assumptions that proved to be…wrrrrr…erroneous. Ok, I can admit it. Turns out, the security hole was not in phpBB, but rather in a combination of software, mainly a certain web browser plugin and a certain FTP client who ended up exposing my FTP password to nefarious agents. These agents used my password to alter the .htaccess file in the root of my server and caused it to redirect to 4safe.in. The fact that it was a forum that was redirected is incidental. It could have been any web content. It was an easy fix though, and it wouldn’t have been any skin off the phpbb folks to just tell people what the problem was and let them go fix it. Furthermore, the files that phpBB asked for would not have led to a solution to the problem, as they did not ask for the .htaccess file that lies outside the phpBB3 folder. Alright, so if you find your site redirected to: http://4safe.in/in.cgi?4&parameter=sf the first thing you should do is look at your .htaccess file and delete the reference to that site. AND CHANGE YOUR FTP PASSWORD FOR CHRISSAKES. And probably get a new FTP client. Now the solution is published somewhere on the web. My work here is finished.