Vulnerability in kb_constants.php

Administrator Anmeldungsdatum: 01.08.2002 Beiträge: 4735 Wohnort: Aachen

A remote File include Vulnerability was found in the Knowledge-Base Mod which is also included in phpBB2 Plus 1.5x. To fix this you have to add the following codelines to the file includes/kb_constants.php:

Find:

Code:

// ---------------------------------------------------------------------START
// This file defines specific constants for the module

ADD BEFORE:

Code:

if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
}

Please do it now and not later !

I have updated the Download-Package with this fix already.

phpBB2.de User Anmeldungsdatum: 27.11.2003 Beiträge: 994 Wohnort: sLOVEnia

I assume this is only in 1.53 version, because in 1.52 version in folder includes I have no file kb_constants.php

I suggest that you control every file wich should be included for this part. (includes/ folder, your_modname/ folder) There are some other MODs too wich have such vulnerabilityes. Maybe MODs you have added after downloading the Plus Package from here. (So no more problems with the Plus package, there was just the Knowledge Base Issue) So please check your files for better security. Please be careful, some files are main files and these DON'T have this part!! In these files you will find something like

Code:

define('IN_PHPBB', true);

at the beginning. You will not need to change these files!

I wrote an exact Article about this long time ago in a galaxy far far away ... ohm... wrong text. Well joke beside: I wrote an article about this on my site where I describe how to check the security:

http://www.community.cback.de/viewtopic.php?t=5637

additionally in April I wrote an Blog Entry on my Blog where I exactly describe how these attackers can come to your forum over include Files:

http://www.blog.cback.de/?p=33

You should read this immediately (maybe also with Google Translator if you don't speak german Wink

) and check your Board as soon as possible.

The easyest way is BTW to change your server settings REGISTER GLOBALS to OFF. But be careful: The Board should be secured too for example if you move to a server with GLOBALS=ON or something like this.

Another MOD wich has this vulnearability is btw the Advanced Guestbook. Here the addentry.php has no "!defined('IN_PHPBB')" check. Like Stefan said you should do this fix now and not later, because these methods are now known for a Month now and some of my recherches in the web showed that the Crack-Scripts wich use this vulnerability getting more and more.

phpBB2.de User Anmeldungsdatum: 07.11.2005 Beiträge: 17

Hey cback and very mutch welcome to this discution witch is of extreme importance it seems to me!

First and foremost, i am no brainiac when it comes to php-cooding and espexially NOT when it comes to detecting secutity holes and such, so bear with me here:D

OK i have now looked trough the includes/ folder of plus 1.53 and found the following files not having either "define('IN_PHPBB', true);" or "die("Hacking attempt"); " :

auth.php
class_db.php
emailer.php
functions.php
funktions_admin.php
funktions_bookmark.php
funktions_jr_admin.php
funktions_kb.php
funktions_mods_settings.php
funktions_module.php
funktions_profile_fields.php
funktions_search.php
funktions_selects.php
funktions_stats.php
funktions_validate.php
sessions.php
smtp.php
sql_parse.php
template.php
topic_rewiev.php
usercp_avatar.php

Some of these files have other "define" statement (but so did kb_constants.php) and others have none!

Are these files save and if so why...(if this explanation is at all possible within a reasonable context)!

You point to some guides/articles about this very subject all written in German, this however is as i see an EXTREMLY important issue at current, as these holes leave open possibilities for croos server hacking and as a result have (already) and can put down multiple forums in a swift!!

I would ask of you if you could spare the time to make a summationpost/article about this subject in english including a small guide as how to fix all old or newer installed MODs (mutch as you have done above) ... i know very little about the workings and security af php, but this seemes to be worth the effort..

I would then translate into danish and post this critical information on the danish support site....and should somebody not try to rattle the cage of .com and get them informing and working on these issues as well??

Well anyway cback, stefan or hoewer has the time and ability...i would very mutch appreciate this effort as would probarbly many out there with modded and now openly known voulnerable boards!

Hi thats correct. Some files don't have this line because they only include functions so you can't attack them. But its better if you add this line, you have nothing to loose.

So you can add the if(!defined... thing to all these include Files without getting problems. I personally added the Constant-Check to all my Board Files. Its not always necessary (as I said, some files just have functions included wich you can't access from external resources) but you will not do anything bad if you add it. Wink

phpBB2.de User Anmeldungsdatum: 24.10.2005 Beiträge: 181

Since I am German, I tried with the google Translater to translate the above text! Exactly like these here of German in English. Words kopmmen to the appearance, like (german words)bear, gutter, cube, river, drillings and wells. Question: Is there these above mentioned information somewhere also into German? If these information is important!

Hi,

schau einfach auf die beiden Links die ich oben zu meinem Forum und Blog gepostet habe, da steht alles zu diesem Problem komplett in Deutsch drin. Wink

phpBB2.de User Anmeldungsdatum: 07.11.2005 Beiträge: 17

Hi cback and thanks for input Laughing

So to be clear add:

Code:

if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
}

to ALL files in include/ folder...maybe not necessary but then your save instead of sorry! (does this aldo include the foldes inside /includes..eks. includes/mods_settings/ ?)

Then you mention the folder "your_modname/ folder"

Would you simply add the code to ALL installed/uploaded MOD .php files? Again to be safe instead of sorry...

Correctly. Wink

phpBB2.de User Anmeldungsdatum: 24.10.2005 Beiträge: 181

cback hat folgendes geschrieben:

schau einfach auf die beiden Links die ich oben zu meinem Forum und Blog gepostet habe, da steht alles zu diesem Problem komplett in Deutsch drin. Wink

Also Dateien die "nur" im included-ordner sind?

Lies genau meine verlinkten Beiträge oben da steht alles genau drin.

phpBB2.de User Anmeldungsdatum: 24.10.2005 Beiträge: 181

Dass ich es nicht richtig verstehe, liegt wohl daran, dass ich mich erst mit 55 Jahren damit zu beschäftigen begann
Vor ca. einem halben Jahr.
Wird schon irgendwie klappen Very Happy

Abschliessend danke ich Dir.

phpBB2.de User Anmeldungsdatum: 07.11.2005 Beiträge: 17

Hey cback...again thanks for info...im back for more Laughing

First off...i would guess that adding this code to any MOD would mean that these would also have to register all their .php files in constants.php..witch is not always the case....is this correct...is that not what the statement checks??

Second...can somebody suply some info on how this code guards against the exploits attacks....as i mentioned earlier, i have no great insight into these security issues in php but am trying Laughing

As i understand the Recent serious problems experienced especially on many FM boards has been exploit attacks were the attack comes prepared with a predifines $phpbb_root_path (and here exploits were the root_path is not explicitly defined in the files)..

Looking at the fix proposed by WyriHaximus on toplist.php:

http://www.wyrihaximus.net/blog/message/id/108/n/Hotfix_for_toplist_1.x/

witch achieves the objective in a whole other way, simply by exsplicitly setting (and changing if not defined) the $phpbb_root_path...

How does this fix address this issue...in short how does it work..if it indeed does....no disbelief...just making ABSOLUTELY sure...and trying to understand....

Hope you can help me with some answers cback, stefan or other... Laughing

The code in the first post. Does it have to be added before or after because the post says add before and the file in the updated package has the code added after.
Like this:

Code:

// ---------------------------------------------------------------------START
// This file defines specific constants for the module
// -------------------------------------------------------------------------

if ( !defined('IN_PHPBB') )
{
die ("Hacking attempt!");
}

Before is correct.

this line you can place just after the first comment (the /* thing Wink

) directly at the beginning of the file after <?php

if you want you can place it directly behind <?php too but phpBB Standard is just after the first comment with the file credits and License.

This line should also be the first code wich will be accessed when the script will be executed.