Bugtraq mailing list archives

Re: phpBB Worm

From: <ycw1bh302 () sneakemail com>
Date: 22 Dec 2004 04:34:59 -0000

In-Reply-To: <Pine.LNX.4.61.0412212325470.1764 () mailbox prolocation net>

Forgive me if this is a newbie question, but a site I help run was hit by this, and I'm trying to understand it to
protect against future worms.

The worm exploits the phpBB highlight vulnerability. It uses PHP to run Perl to write the Perl script file, then
executes it. The script then proceeds to traverse the entire directory structure, overwriting .php, .htm, .shtm,
.phtm, and on our server, .ssi files, and then spreads itself. Correct?

I have two questions:

1. Why has the worm been as effective on Windows servers as on *nix servers? At the very least, shouldn't the
difference in file and directory naming cause a problem? I looked at the decoded Perl script, but I'm not a Perl
expert, so I couldn't understand all of it. And what about the difference in file permissions?

2. More importantly, why wasn't the worm's destructive ability limited by file permissions, especially on *nix
servers? If, for example, an HTML file on the server was uploaded by user bob, and has permissions of 755, how can the
Perl script delete that file? Shouldn't the Perl script be created with the Perl process's permissions, which was
invoked by PHP, which should have the Web server's permissions, which should be, at least on most *nix servers, the
nobody user?

This is a big issue on shared servers, or virtual hosts, whatever you want to call them. Our site is on a shared
server, and our site does not even run phpBB, but most of our HTML files were replaced with the worm's content.
Obviously, then, another site on the server must have an old version of phpBB. But why could the worm, coming in
through another site, modify files created by other users? Even if the worm's script ran as the owner of the
vulnerable viewtopic.php file, how could it then modify non-world-writable files created by other users?

I have long been concerned with the security of PHP scripts, especially on shared servers. Since PHP almost always
runs as an Apache module, and Apache usually runs as nobody, one must make files and directories world-writable for PHP
scripts to be able to write to them. But that means that any process on the server, including anyone's PHP script, can
modify the files.

Thanks for any insights.

Adam Porter

Current thread:

phpBB Worm Shannon Lee (Dec 21)
- Re: phpBB Worm Raymond Dijkxhoorn (Dec 21)
  - Re: phpBB Worm Sebastian Wiesinger (Dec 22)
    - Re: phpBB Worm William Geoghegan (Dec 23)
  - Re: phpBB Worm Anders Henke (Dec 23)
- RE: phpBB Worm Paul Kurczaba (Dec 21)
- Re: phpBB Worm Alexander Klimov (Dec 22)
- <Possible follow-ups>
- Re: phpBB Worm ycw1bh302 (Dec 22)
  - Re: phpBB Worm Alvin Packard (Dec 23)
  - Re: phpBB Worm Anders Henke (Dec 23)
- RE: phpBB Worm Ofer Shezaf (Dec 23)
  - RE: phpBB Worm Chris Ess (Dec 25)
- Re: phpBB Worm steve (Dec 24)
  - Re: phpBB Worm Raymond Dijkxhoorn (Dec 24)
    - new phpBB worm affects 2.0.11 Herman Sheremetyev (Dec 25)
- Re: phpBB Worm Zeljko Brajdic (Dec 25)