ID: 31759 Updated by: [EMAIL PROTECTED] Reported By: ieb9 at tfd dot co dot uk -Status: Open +Status: Bogus Bug Type: *General Issues Operating System: Linux RH9, Apache 2 PHP Version: 4.3.10 New Comment:
This has nothing to do with urldecode. It has to do with what the applications do with the data after urldecoding it. In the case of phpBB they passed it directly to a preg_match /e which executed the decoded string. There is nothing we can do about people writing applications that take user data and pass it directly to functions that execute it. urldecode() is working exactly as it was designed to work. Previous Comments: ------------------------------------------------------------------------ [2005-01-30 01:29:13] ieb9 at tfd dot co dot uk Description: ------------ Before you say no, please read. I have recently seen a hacker install a rootkit using URL decode. It was outfault for not having the right version of phpBB..... but we did have a safe apache install with all the right permissions and all the things in the right place and the lates kernel patch. The only reason we notices was due to a strange hardware configuration that caused the hacker problems when the started to insert code into /dev/kmem However, looking at the code in phpBB, the commands they executed I found that they could do exactly the same think on at least 5 other php applications. eg versions of mambo, phpBugTrak, postNuke (and not just the phpBB plugin) >From what I could see the exploit only used the urldecode function and no other libraries, if this is the case, could you please fix the problem before it becomes a real issue. I think the hacker used this code to initiate the root kit installation http://downloads.securityfocus.com/vulnerabilities/exploits/phpBBCodeExecExploitRUSH.pl Reproduce code: --------------- I dont think you really want me to post this. Expected result: ---------------- An open tcp channel where I can get bash shell access as the apache user on the exploited box, then inject the kernel system call table and install a rootkit Actual result: -------------- A hacked machine (luckilly for us caught by a bit of Cisco hardware) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=31759&edit=1
