UseBB 1.0.7 "vulnerability"

Submitted by Anonymous on Sat, 07/21/2007 - 12:48
Written by
Dietrich

Yesterday (July 20th, 2007), a post was made on the popular Bugtraq mailing list about a so-called vulnerability in UseBB 1.0.7. This vulnerability includes an insecure value of PHP's PHP_SELF variable being used in forms in three old upgrade scripts that can be exploited for an "XSS attack". However, unlike the report states, this vulnerability should be rated far from "dangerous".

The vulnerability is found in upgrade scripts which were used to upgrade a few old versions of UseBB, being 0.2.3, 0.3 and 0.4. The latter one was released almost 2.5 years ago. Second, this vulnerability poses zero security threats to an existing UseBB set-up. The only possible abuse of this vulnerability is through receiving a malformed URL (containing possibly dangerous JavaScript) to one of these update scripts. Chances anyone gets into this situation are very rare, unless you are still updating an unsupported 2.5 years old UseBB version and are receiving "help" from an abusive person.

In short, this is not a UseBB vulnerability but one in old upgrade scripts which were used upto a couple of years ago.

As a resolution to this vulnerability, these three upgrade scripts have been removed from the source tree in CVS, since they were obviously no longer supported and possibly even not working anymore. If you have the install/ directory present in a publicly available forum, it is advised to remove it in any case, although the scripts should only cause SQL errors and perform no changes when used with an existing set-up.

I am not very satisfied by the way this vulnerability was made public. Next to it being rated "dangerous" without a valid reason, I have not been contacted about this vulnerability in advance to offer a resolution before the report was made public. I am very disappointed in the reporter (who calls himself "S4mi") and hope he/she understands the mistakes that were made.

Since this is not the first time we are plagued by partially false reports, we will start publishing our own security reports when necessary as of the release of UseBB 2.0.0.

Update (September 13th): I. Alshanetsky has found another so-called "vulnerability" in UseBB 1 and made a note about this in his talk about PHP security. The code which is said to be exploitable is not exploitable at all. The developer failed to check the code for security measures plus to report his (thus being false) discovery before making public notes about it. Read more about this on my blog.

I have not been contacted about this vulnerability in advance to offer a resolution before the report was made public. I am very disappointed in the reporter (who calls himself "S4mi") and hope he/she understands the mistakes that were made.

People should look before they leap.

Keep up the good work Dietrich and don't mind the "smartasses" that try to discredit other's efforts out of jealousy or mischief, the Net is full of them.

Cheers!
Gene

Yep Mate,

It reminds me of some twit that posted a hacker-hole in an on-line editor with little regard to the security of others including his stupid self. :(

People do need to more considerate with security matters and not splash them all over the web just to feed their own ego; whether the holes are relevant or not.

You're doing a good job.. Just don't feed the trolls. :P

The report was posted without a resolution and will probably end up on many websites as an "unresolved issue". So, it's my task to clear this up, if I don't it looks like I don't care about security or ignored the report (even though I haven't been contacted and the report is partially bogus).

don't mind the "smartasses" that try to discredit other's efforts out of jealousy or mischief, the Net is full of them.

I don't know what their motivation is, perhaps this is true, perhaps they want to become the next big security experts and don't know anything about disclosing security problems... even not about writing a report in decent English:

Solution :
====================

filtre the PHP_SELF
or you know what's the best lool : Delete the Install directory :D

My biggest concern is that people seemingly can easily get away with writing problematic reports like this about a vulnerability without contacting the maintainer(s) first. This report ended up on Bugtraq and hundreds of website which mirror them. This basicly renders Bugtraq unreliable, which made me decide to make or own reports on the future website. These reports will be the only approved ones and will officially make all the external ones "unconfirmed" until we have published our own.

Don't be distracted by false and or bogus reports against UseBB forum software. I could point you to well established forum software that update their security bugs on an all too regular basis.

Most are so bloated that the security problems only come to light when some hacker squirts the Db or destroys it completely. :(

Stick with what you are doing, and with the people who know and trust that you are doing your utmost to avoid hacker attacks with UseBB.

That's all that really matters.

Anyone can start a hate / spite / jealous attack on UseBB.. That's not important, the honest integrity of UseBB is; and that's your job to keep it that way. :P

It's not about distraction, whenever someone makes a false security report and releases it on a semi-official channel such as Bugtraq, I am forced to make an announcement about it. Perhaps people here know I take security serious, but not everybody does so. Not reacting to this gives a wrong signal and confirms for most of the people there is a vulnerability in 1.0.7 (itself).

Making our own reports will solve this issue. No report = no vulnerability, whatever others state. (Note: this won't mean (some) security problems will be kept secret in the future, I have always been honest about security and even performance problems, and anyone can see the CVS and SVN source tree and patches applied to it. Just a note to people who weren't convinced about this. ;))

lopalong

Most are so bloated that the security problems only come to light when some hacker squirts the Db or destroys it completely. :(

Stick with what you are doing, and with the people who know and trust that you are doing your utmost to avoid hacker attacks with UseBB.

That's all that really matters.

Anyone can start a hate / spite / jealous attack on UseBB.. That's not important, the honest integrity of UseBB is; and that's your job to keep it that way. :P

How true! Keep up with the excellent work Dietrich.

BTW lopalong, like your Avatar, cracked me up. :D

Cheers,
Gene

have you gotten some advice to the people installing 1.0.7 before it

Everything has been explained in this topic...

Sadly, the above situation happened again (although slightly different). A PHP core developer made a note in one of his talks about certain code in UseBB 1 being exploitable. Again, this is untrue. Again, people did not bother to check the code decently or contact the developer(s).

I have updated the first post in this topic (and thus also the usebb.net front page) and written a detailed blog post about it.

My future plans remain, the new website will have a security section which will list discovered vulnerabilities. No report = no vulnerability. Sadly, the damage is done much faster than you can react as a single developer.

I can't believe that someone would actually publish some article like that without at least testing the supposed 'exploitable code'. It just puts themselves in a position where they have not proven anything and makes them look like they are just making assumptions ( from what I read, this is what it seems they did ).

Well well...

Seems that Ilia Alshanetsky is the core developer of FUDForum.

Take a peek at:
His FUDforum profile

Hmm, doesn't like competition...

Gene
:roll: