phpBB and security

[kgun]

Once again my forum, ForumNorway has been hijacked and now it is more serious. Read the content in that link before you continue.

Facts:
1. I have not upgraded to the latest version of phpBB, version 2.0.21. I use version 2.0.19. Do not give the simple answer upgrade to the last version. This problem is more serious. I will not upgrade before this problem is solved or it is documented that the old version of the code is the problem.

2. The code for phpBB is written in PHP by other people, are relatively large and it is difficult to get an overview without using much time on it. I do not have that overview. Do not give the simple answer, PHP is not secure, use a BB written in another language.

3. It is possible to steal authentication (passwords etc.) by listening in on the connection to the site by packet sniffing. I doubt that. It is also possible to hijack session ID's and place javascript code (e.g. by XSS (cross side scripting) on the server where the board code is stored).

4. Do anybody on this forum have a solution to the

Problem: How is it possible for a person to change the code without having the FTP password? Is that stolen or are there other methods by which the problems described in the above thread can happen?

Related threads:
Security in PHP and MySQL

php sessions for storing data

Hiding file part of URLs for security purposes

[kgun]

No answer so long:

Here are additional information that may be of general interest:

Reply from a man at phpBB.com that try to help me:

My question:
3. It is possible to steal authentication (passwords etc.) by listening in on the connection to the site by packet sniffing. I doubt that. It is also possible to hijack session ID's and place javascript code (e.g. by XSS (cross side scripting) on the server where the board code is stored).

Answer:
most issues with the above come from allowing html on the forum software

If you are up to date with your phpbb then usually they exploit usually by SQL Injection thus giving them access to the database..making themselves admin and removing other admins..this is a fault with mysql not php or phpbb

My question:
4. Do anybody on this forum have a solution to the

Problem: How is it possible for a person to change the code without having the FTP password? Is that stolen or are there other methods by which the problems described in the above thread can happen?

Answer:
this is usually old phpbb code , or SQL Injection and apache webserver hacking...also this can be done by exploiting any mods you might have installed as some of them have really obvious exploits

I would also need to check the database for any sql injection or other strange entries such as hidden admins.

Also your ISP would need to be notified as soon as everything is upgraded and is a secure as possible..they need to know the issues you are having and get them to look closely at the server logs for your website

Any changes leave a date and time..with the logs they can track any IP address on your website that was on at the time to hack occured

[kgun]

Install Starfoxtj

Description:

"The majority of hackers who gain access to your board add malicious information into your forum or site descriptions. The most common are the javascript, and iframe tags. By adding these to your descriptions, they can embed "hacked by" messages, songs, music and page redirects.
Most of the harmful tags cannot be seen by viewing the forum index.

This section scans all forum descriptions showing you the actual text, including the added information.
This scrip will scan for the following tags: <, >, <script, <javascript, script>, <iframe, <frame, iframe>, frame>, <embed, embed>

The first two characters, are considered a minor risk. The rest, are considered major risks. (Explained below).

On most hacked forums where the hacker added an iframe or javascript into a description, the board administrator is unable to view the forum, or even enter the admin panel to remove it. With this tool, if any harmful or malicious tags are detected in the forum description, you have the option to Sanitize it. Sanitation converts the characters that make the tags harmful, into safe, non-harmful equivalents.

The two special characters that allow the script and javascript tags to be harmful, are the left and right arrows. The left and right arrows, when surrounding a body of text, are invisible when viewed through a browser. When this script sanitized a description, it converts the left and right arrows, into harmless "html entities". An html entity is a code value that is used to represent the left and right arrows (among other special characters). The left and right arrow characters can be "printed" on the screen using the html entities: &lt; for the left arrow, and &gt; for the right arrow.
By converting the left and right arrows to their represented code, they are displayed in the browser as harmless arrows. Since they are no longer actual arrows, but the code equivalent, they no longer pose a threat to your forum. You can then login to your admin panel like normal, and remove the extra code.

If a description contains the left, and or right arrow < >, it will be highlighted in yellow. Yellow indicates that these characters, may possibly be used in a harmful way. This is not always the case though; just because the description contains the left or right arrow, does not mean it is insecure or harmful. Many administrators use them by choice on their website, for line breaks
, images <img> and font modifications <font>. I would suggest double checking these descriptions to ensure they contain only what you wrote.

If a description contains any of the other tags, such as the famous iframe, javascript or embed tags, it will be highlighted in red. Red indicates that these descriptions almost certainly contain harmful information. Hardly any administrators use these tags in their forum descriptions, but hackers almost always do. Read through the descriptions highlighted in red, and unless you intentionally intended to add that code, sanitize it".
Source: Starfoxtj Admin Panel

Note if your forum has been hacked and you were admin, but now reduced to moderator, you get additional problems, since you can not update a moderator to admin.

Here is my question to the person who made Starfoxtj:
I think you are the creator of Starfoxtj.

I am the owner of ForumNorway.com that has been hijacked. I have posted a post at WebProWorld, http://www.webproworld.com/viewtopic.php?t=65091 where you can read more about the problem.

A man from phpBB has upgraded the forum and helps me now. But there are something regarding Starfoxtj that I do not understand.

I was able to upgrade him (new user) to Administrator, but not my Son and myself. I am reduced to moderator by a hacker.

I also tried to change our status to users, but that did not work either. Is there a security whole in Starfoxtj?

Can the hacker have placed code on the site or in the MySQL database that prevent that action by Starfoxtj.

Here is the answer:

Because of the way moderator accounts work, I did not
include an option in the toolkit to change the user's
user_level if they are a moderator. The reason is
because TONS of additional changs need to be made to
remove a user's moderator permssions.

Register a new account, then go into the toolkit (its
called a "ToolKit" btw, starfotj is my nickname), and
promote the new account to an admin.

Then goto the security scanner, and demote/ban any
fake admin accounts that are listed. After that, log
into phpbb wiht your new admin account and goto "User
Permissions" and remove any moderator permissions from
your original admin account. Then promote it back to
an admin within phpbb.

After that change your ftp, database and admin account
passwords and update to 2.0.21!

[kgun]

Finally the problem is fixed, hopefully more secure and back to where it was before it was hijacked.

Here is another related thread of phpBB tweaks for large forums that may be of interest. Especially if you have problems with forum backup, read this post by lancer:

"Today Gaia has a about 150 web servers behind our load balancer, and about 20 databases handling different features. Many of our old servers had been either de-commissioned or converted to storage servers. The new servers we're installing are all Opteron servers that are 4 times faster than older machines with the same power requirement. Since the ISP charges a lot for power, it's much more economical for us to upgrade.

We don't really believe in clustering. Rather we changed our database structure and the database abstraction layer to divide up data into seperate physical databases. That way we only need to add more of the same servers when upgrading, and we don't have to spend money on expensive clustering solutions and risk supporting a complex system.

We've just gotten another 20 database servers to replicate the existing ones for redundency. No replication is used for scalability or handling bandwidth. We still use MyISAM for small logs and data that doesn't get updated more than once a second, otherwise everything else is InnoDB.

The session handler had been completely re-written to use the new database structure and to accomidate a whole bunch of Gaia related features. A caching system for gold earning for example. The user id determines which of the 4 database server to use. When we need more performance we will expand that up to 8 and change the session handler to accomidate 8 servers.

The database structure had also changed for the ability to handle threads of unlimited posts. Changes like these involved a few guys working together and a span of months to complete. Once I find the time I'll publish them for the phpbb team. Right now I'm still pulling my hair trying to get the latest features to release."

My underline.

[cyanide]

Did you find out how this happened ?

I would also wonder what versions of php/mysql and apache you are running

[Easywebdev]

I missed this one first time round.

Kgun, to answer the points in your first post.

1. You have not upgraded. You can answer that yourself, upgrades contain fixes for various bugs and security enhancements. No reason not to upgrade.

2. "PHP is not secure, use a BB written in another language." Rubbish, plain and simple, absolute rubbish.

The bad name that php has is due to how accessible it is for new programmers. People can jump straight into php without any prior programming background and as it is a typeless language there are many pitfalls for the unwary. Php in the hands of an experienced programmer coming from C, C++ who understands and adheres to casting practices then in my opinion with the release of php5 it has reached enterprise standard.

The majority of security flaws in php applications can be attributed to the above, a newbie starts with php, rattles out a few scripts that work but have no understanding of security measures well you cannot blame the language for that.

3. Yes it is possible to steal session ID's but if someone is running a packet sniffer on your IP then you have a lot more to worry about rather than someone gaining administrator priveledges to your forum. This type of activity is above most of the "script kiddie" brigade. It is not possible to place code on the server via javascript (provided the server administrator knows what they are doing) nor is it possible via phpbb, the only system call phpbb uses is an eval() in the templating system and I have not seen a variable passed to the templating engine that is unsanitized.

From what I read on your link you let some kid install the forum for you but then changed the password. When they had access there was nothing stopping them from uploading a host of scripts that could be used to place code on your server even after you changed ftp passwords.

The main problems with phpbb and security DO NOT come from the script itself but through add ons and hosting on a server where the administrator is clueless and has not hardened user permissions and disabled potentially harmful php settings. In that scenario most scripts are vulnerable.

As far as your follow up posts regarding

This section scans all forum descriptions showing you the actual text, including the added information.
This scrip will scan for the following tags: <, >, <script, <javascript, script>, <iframe, <frame, iframe>, frame>, <embed, embed>

that is just down to a programmer having no understanding of when and how to use the htmlspecialchars() function.

There are many many large forums running phpbb and they don't get hacked (this is one) it is all down to the hosting environment and the competency level of the administrator. If the host has not secured folder permissions then there is nothing to stop another user on your server browsing to and reading your config.php to get you database connection information.

With the drop in prices of VPS technology to as little as $25 per month for a server capable of hosting 50 small sites there is no reason to stay with shared hosting. Get out of that environment and you will have less problems with any open source script.

[kgun]

Easywebdev, I agree to what you write and has not blamed PHP. Rather the opposite, PHP is flexible and easy. A program is as secure as it is written.

My post was written for genral information. A 17 year old Norwegian boy intstalled the forum for me the second time since I deleted it. It is not difficult to install the forum, especially if you accept the defaults. I did that myself. He told on a Norwegian forum that he could take care of and update it for me. He did not follow up and I will never employ or reccomend him to other persons. He may have lost a future job.

I am not so very afraid of the code being hijacked or of intrusion. My aim was to get a forum on the net. Time will show if it gets active. I will not create virtual members and discuss with myself to get activity. It has been very interesting to observe and learn about a CMS system written in PHP. Even the spamming earlier and this intrusion has been interesting.

Now a man from UK takes care of it. Interesting to see if he is more reliable. He has access to the code of some of my Ad driven pages. I rely on people to the opposite is proved. May be I am naive. At least I learn more about the internet and the persons that surf it.

Thank you for a new, interesting and well written post.

[kgun]

Did you find out how this happened ?

I would also wonder what versions of php/mysql and apache you are running

No I did not, since I do not have time to go check the logs in detail.

Easywebdev indicate an answer above, since I gave the control to a boy, he could of course install (modify) what files he would as long as I do not have an overview of the files / code. He said that he did not modify it, but he was the only Aministrator after the intrusion and I reduced to moderator. But the person that did it may not have noted that I had installed Starfoxtj, so it was no problem for me to change the status of members. A great tool as long as an intruder do not know it. In the worst case I had deleted the whole domain (and may be changed hoster) and reinstalled the code from my computer that is clean.

I think you find the version information on the hosters page, ImHosted that has been my best foreign hoster so long.

[kgun]

Does anybody know of a phpBB mod(ification) to prevent duplicate posting of registered members? It is only a programming task:

1. Searh the database of that members posts for identical posts.

2. Search the database for identical posts by other members.

[kgun]

Here is a post

Double Post Control 1.1.0