Previous Thread
Next Thread
Print Thread
Rating: 5
Page 1 of 2 1 2
Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
Mod Name / Version: Input validation mod (Security fix) 1.1.1

Description: You all probably noticed that several vulnerabilities have been found in ubb.threads over the last months/weeks. Some of them have been fixed by Infopop, but that's only the tip of the iceberg.

There's no proper input validation in ubb.threads, which makes the door wide open for sql injections. Additionally, the output of ubb.threads isn't escaped properly also. This can be used by "hackers" to start XSS (cross site scripting attacks).

Both types of attacks can used to compromise your boards. Either to damage it or to gain unauthorized access.

During a security audit of ubb.threads, I found more than 10 vulnerabilities.

Infopop is aware of this problem and will "take care" of it in the next release. As this will take at least "some weeks", I created a modification that will prevent most of this attacks.

Note that all current installations of ubb.threads are vulnerable at the moment and that some exploits have already been published to security mailing lists (last one yesterday).

If the modification detects a possible attack an error message is displayed and the attack is logged to a logfile.

Working Under: UBB.Threads 6.3-6.4-6.5

Mod Status: Finished

Any pre-requisites:

Author(s): Astaran

Date: 04/20/05

Credits:

Files Altered: ubbt.inc.php

New Files: Validate.php

Database Altered: no

Info/Instructions: Note that there are three versions of this modification (depending on the ubb.threads version you're using).

Just follow the instructions in instructions.txt.

More experienced users can enhance this class to also validate variables that are used in installed hacks/modifications. See the readme.txt for details.

Disclaimer: Please backup every file that you intend to modify.

If the modification modifies the database, it's a good idea to backup your database before doing so.


Note: If you modify your UBB.Threads code, you may be giving up your right for "official" support from Infopop.If you need official support, you'll need to restore unmodified files.
Attachments
127242-InputValidation1.1.1.zip (0 Bytes, 160 downloads)

Last edited by Astaran; 05/11/2005 5:17 PM.
Sponsored Links
Joined: Oct 2003
Posts: 2,305
Old Hand
Old Hand
Joined: Oct 2003
Posts: 2,305
Thanx Astaran!

Joined: Mar 2000
Posts: 528
Junior Member
Junior Member
Offline
Joined: Mar 2000
Posts: 528
Thanks Astaran! Glad to know this is being taken seriously over here.

Joined: Mar 2000
Posts: 21,079
Likes: 3
I type Like navaho
I type Like navaho
Joined: Mar 2000
Posts: 21,079
Likes: 3


- Allen wavey
- What Drives You?
Joined: Feb 2001
Posts: 2,268
Junior Member
Junior Member
Offline
Joined: Feb 2001
Posts: 2,268
Excellent!

Sponsored Links
Joined: Mar 2000
Posts: 21,079
Likes: 3
I type Like navaho
I type Like navaho
Joined: Mar 2000
Posts: 21,079
Likes: 3
Any word on an 'official' fix (6.5.2) from IP yet?


- Allen wavey
- What Drives You?
Joined: Feb 2002
Posts: 295
Member
Member
Offline
Joined: Feb 2002
Posts: 295
Hi,

I'm running 6.4b1, so which of these 2 do I implement (attachment only has instructions for 6.3.x and 6.5.x)?

Sanuk!

Joined: Dec 2002
Posts: 67
Power User
Power User
Joined: Dec 2002
Posts: 67
* Thanks for the mod! I installed it, and when I peep at the logfile it looks like it's validating everything just fine, but should I clean out the logfile occasionally or something. It looks like it's gonna get pretty big as the days go by.

Joined: Aug 2000
Posts: 1,609
Addict
Addict
Offline
Joined: Aug 2000
Posts: 1,609
[]AllenAyres said:
Any word on an 'official' fix (6.5.2) from IP yet? [/]

Beta testers are currently testing 6.5.2b1, which addresses many security issues.

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
[]ksanuk said:
Hi,

I'm running 6.4b1, so which of these 2 do I implement (attachment only has instructions for 6.3.x and 6.5.x)?

Sanuk! [/]
If you're able to modify the hack a bit you can take the version for 6.5.x Use the Validation.php from version 6.5, but the installation instructions from 6.3.x.
Install it, but run it with
define('ABORT_ON_ERROR',false);
for some days. Browse the logfiles and look for unknown parameters. You can manually add them into the validation script. The the readme.txt for further details.

If you're not able to modify it yourself, send over the logfile and I'll have a look at it.

Sponsored Links
Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
[]Calpy said:
* Thanks for the mod! I installed it, and when I peep at the logfile it looks like it's validating everything just fine, but should I clean out the logfile occasionally or something. It looks like it's gonna get pretty big as the days go by. [/]

Yes, delete it from time to time. Currently, there's no mechanism to do this automatically.

Joined: Jan 2001
Posts: 374
Enthusiast
Enthusiast
Offline
Joined: Jan 2001
Posts: 374
Hi,
great script. i tried it with 6.5.1 and got an alert from the Google-Bot:

[] ERROR: SECURITY ALERT: POSSIBLE XSS ATTACK DETECTED!\nERROR: Script "/Cat/0/Number/23157/page/vc/1" has been called with an invalid parameter.\nERROR: parameter named "page" with a value of "vc" contained invalid characters. Valid type is: num.\nERROR: Script has been called from: 66.249.65.206\nERROR: User agent was: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\nERROR: Referer was: \nERROR: Full URI was: /FORUM/php/forum/showthreaded.php/Cat/0/Number/23157/page/vc/1\nERROR: END OF SECURITY ALERT.\nDEBUG: Data "forumbugs" contains alphanumeric characters only. Validation was successful.
[/]

Is there anything I can do to accept this request?

My second question is:
How can you limit the logfile that it only shows errors and not everything.
The log is increasing 10KB per minute! right now.
I better switch logging off for a while.
Greetings
carl

Joined: Mar 2000
Posts: 21,079
Likes: 3
I type Like navaho
I type Like navaho
Joined: Mar 2000
Posts: 21,079
Likes: 3
[]DLWebmaestro said:
[]AllenAyres said:
Any word on an 'official' fix (6.5.2) from IP yet? [/]

Beta testers are currently testing 6.5.2b1, which addresses many security issues. [/]

oh really, odd how the .threads beta testers know nothing of that


- Allen wavey
- What Drives You?
Joined: Aug 2000
Posts: 1,609
Addict
Addict
Offline
Joined: Aug 2000
Posts: 1,609
Yes, really.

I was not aware Infopop still had a separate beta group for .threads. And if they don't know about it, then I agree, that is odd.

Joined: Feb 2002
Posts: 295
Member
Member
Offline
Joined: Feb 2002
Posts: 295
Hi,

"If you're not able to modify it yourself, send over the logfile and I'll have a look at it. "

Thanks, but seeing that I am leaving on a vacation in about 16 hrs I think this will have to wait until after I get back.

Sanuk!

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
[]caymuc said:
Hi,
great script. i tried it with 6.5.1 and got an alert from the Google-Bot:
...

Is there anything I can do to accept this request?

My second question is:
How can you limit the logfile that it only shows errors and not everything.
The log is increasing 10KB per minute! right now.
I better switch logging off for a while.
Greetings
carl [/]
I'll release a new version on thursday, that will address both of it.
Isn't possible in the current version.
The new version will also include a version for ubb.threads 6.4.2

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
I updated the with a new version.

Changes in version 1.1.0:

- added a version for ubb.threads 6.4.x
- fixed several small bugs in the validation routines and added some new parameters
- changed the login so that only errors and unknown variables are logged by default
- added option to notify you by mail of possible attacks or unknown vars (disabled by default, see the instructions.txt for details on how to enable it)
- error message is a lot nicer now and includes some extra information
- explained the configuration options in instructions.txt

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
Upgrade instructions if you already have version 1.0 running:

1. Extract the zip file and open the Validate.php that fits to your ubb.threads version.

2. Adjust the path to the logfile like you did during the inital installation

3. Optionally change the settings (see instructions.txt for a list of configuration options)

4. Upload the new Validate.php to your server

You don't need to alter ubbt.inc.php during the upgrade.
It's a good idea to delete the logfile to start fresh before doing the upgrade.

Joined: Jul 2002
Posts: 135
Journeyman
Journeyman
Joined: Jul 2002
Posts: 135
humm. Any idea why now everything on my page is comming up blank? http://www.schoolscandals.com

Joined: Jul 2002
Posts: 135
Journeyman
Journeyman
Joined: Jul 2002
Posts: 135
Fixed it I think.

I had 7 occurences of "return $thisvar;
so i just left out the last one.

edit: how can I test the log? Make sure I got everything right.

Last edited by SchoolScandals; 05/06/2005 6:55 PM.
Joined: Jan 2001
Posts: 374
Enthusiast
Enthusiast
Offline
Joined: Jan 2001
Posts: 374
Thank you very much for the update and the fix.
I will now switch it on and see what happens.

Greetings
carl

Joined: Jul 2002
Posts: 135
Journeyman
Journeyman
Joined: Jul 2002
Posts: 135
I use the age verification for users prior to signing up and every time a user tries to sign up:

Script "/final/newuser.php" has been called with an invalid parameter.
Parameter named "ssubbt_dob" with a value of "11/18/1989" contained invalid characters. Valid type is: alphanum.


Is there a way to avoid this specific one? or should I change the code to input the DoB as 19811118 or something like that?

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
Open ubbt.inc.php and replace
$validate->addKnownParam($config['cookieprefix'] . "ubbt_dob",'alphanum');

with
$validate->addKnownParam($config['cookieprefix'] . "ubbt_dob",'text');

Joined: Jan 2001
Posts: 374
Enthusiast
Enthusiast
Offline
Joined: Jan 2001
Posts: 374
Hi,
I still get this:

ERROR: Script "/Cat/0/Number/35279/page/vc/1" has been called with an invalid parameter.
ERROR: parameter named "page" with a value of "vc" contained invalid characters. Valid type is: num.

-and-

ERROR: Script "/Cat/0/Number/31920/page/fpart/5/vc/1" has been called with an invalid parameter.
ERROR: parameter named "page" with a value of "fpart" contained invalid characters. Valid type is: num.

ERROR: User agent was: Googlebot/2.1 (+http://www.google.com/bot.html)
ERROR: Full URI was: /showthreaded.php/Cat/0/Number/35279/page/vc/1


So cat is not 'num' if "Googlebotfriendly" is activated in the Board prefs?
(Or do I have a problem in the database?)

And what is to do with "unknown formats?

INFO: UNKNOWN PARAMETER FOUND: U_Language. Value was: english
INFO: Full URI was: /FORUM/php/forum/adduser.php
INFO: UNKNOWN PARAMETER FOUND: U_AcceptPriv. Value was: yes
INFO: Full URI was: /FORUM/php/forum/adduser.php
INFO: UNKNOWN PARAMETER FOUND: U_TimeFormat. Value was: short4
INFO: Full URI was: /FORUM/php/forum/adduser.php


Greetings
Carl

Last edited by caymuc; 05/07/2005 4:21 PM.
Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
[]So cat is not 'num' if "Googlebotfriendly" is activated in the Board prefs?
(Or do I have a problem in the database?) [/]
Well that's a problem of ubbthreads an not a problem of this modification. The function that translates the search engine friendly urls back into variables is a very simple one.
It takes the url and takes all "subdirectories" as key/pair values.
So long story short: If your url is invalid, the translation into variables will fail which causes a security alert.

Invalid url: /Cat/0/Number/35279/page/vc/1
Valid url: /Cat/0/Number/35279/page/0/vc/1

[]
And what is to do with "unknown formats?
[/]
See the readme.txt for details, but basically you can add them in ubbt.inc.php with:

$validate->addKnownParam('U_Language','text');
$validate->addKnownParam('U_AcceptPriv','text');
$validate->addKnownParam('U_TimeFormat','text');

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
Updated the attachment with version 1.1.1.
It contains several "new" variables and fixes some to strict checks.
Everybody should update to this version to avoid false alerts.

To upgrade simply adjust the configuration directives in Validation.php and replace the version on your server.

Joined: Jan 2001
Posts: 5
Lurker
Lurker
Offline
Joined: Jan 2001
Posts: 5
I use UBBT 6.5. In the instructions for 6.5 you say that there are 6 occurences of "return $thisvar;". I have two additional occurences of "return $thisvar;" in the if ($type == "session") block. This matches with your 6.3 and 6.4 instructions.

Did you make a typo?

Tjerk.

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
The instructions are made for 6.5.1, didn't notice that the code differs in 6.5.

So just use the instructions for 6.4:

There are 8 occurences of "return $thisvar;".
Place the following line before the occurences 1 to 6.
So skip the last two located in the "if ($type == "session") {" block.

Will update that for the next release. Thx for your hint.

Joined: Jun 2002
Posts: 670
Code Monkey
Code Monkey
Offline
Joined: Jun 2002
Posts: 670
I noticed the same thing. I added the line before all 7 occurences I could find and the site went blank. Commented out the last one (after the first six) and it worked.

Joined: Jan 2001
Posts: 5
Lurker
Lurker
Offline
Joined: Jan 2001
Posts: 5
May I suggest you move the info about the CONFIGURATION OPTIONS in the end of the instructions.txt file to the instructions right above the options in the Validate.php, and weed out obvious differences like LOG_UNKNOWN_VARS versus LOG_UNKNOWN_PARAMS and ALLOW_UNKNOWN_VARS versus ALLOW_UNKNOWN_PARAMS etc? Also the info about the default settings is not correct everywhere.

Also, in the info about the LOG_UNKNOWN_PARAMS you refer to setting "this to one", where you seem to mean 'true'

Apart from that, nice mod!

Tjerk.

Edit: and maybe rename Validate.php to validate.php?

Last edited by krejt; 06/09/2005 3:00 AM.
Joined: Jul 2001
Posts: 808
Coder
Coder
Joined: Jul 2001
Posts: 808
in your instructions you wrote:

1. Open Validate.php and set the path to the logfile (Line 57). This file must be writeable by the webserver. You can adjust the settings at the top (defined in constants). Standard settings should be fine in most cases.

should this be a path to directory only or a path with filename ?

/edit: it must include a filename

You wrote something about the Googlebot and fix it in 1.1.1
In my log I see the Yahho Slurp like this:

ERROR: SECURITY ALERT: POSSIBLE XSS ATTACK DETECTED!
ERROR: Script "/ubbthreads/showthreaded.php" has been called with an invalid parameter.
ERROR: parameter named "page" with a value of "vc" contained invalid characters. Valid type is: num.
ERROR: Script has been called from: 68.142.250.13
ERROR: User agent was: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
ERROR: Referer was:
ERROR: Full URI was: /ubbthreads/showthreaded.php?Number=108450&page=vc
ERROR: END OF SECURITY ALERT.

I m not sure how to handle your script and like to ask for your assist.

While do some tests I get:

INFO: UNKNOWN PARAMETER FOUND: sub. Value was: browser_misc
INFO: Script "/ubbthreads/feeds/rss.php" has been called with an unknown parameter./ubbthreads/feeds/rss.php?func=board&sub=browser_misc
INFO: Full URI was: /ubbthreads/feeds/rss.php?func=board&sub=browser_misc
INFO: Script has been called from: 80.136.191.134
INFO: Referer was:
INFO: User agent was: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; de) Opera 8.0

Last edited by Zarzal; 06/27/2005 3:42 AM.
Joined: Dec 2002
Posts: 4
Lurker
Lurker
Offline
Joined: Dec 2002
Posts: 4
Will any of these work with 6.1.1?

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
I'll upload a new version of this mod with some clearer instructions this weekend.

Regarding the google/yahoo bot:

"/ubbthreads/showthreaded.php?Number=108450&page=vc"
is an url with invalid parameters.
It should be
"/ubbthreads/showthreaded.php?Number=108450&page=&vc"

Note the additional &.
So the securiy alert is correct. This will not be changed, as this is the desired behaviour. The page parameter should be an integer value.
In your case, it has the value "vc" which is not allowed.

Apart from that, you can change the behaviour by modifing the known_params array in Validate.php.
Search for "page => 'int' and replace it with "page => 'alphanum'.
But beware, that this may lead into a security problems.


Regarding the unknown parameter
"UNKNOWN PARAMETER FOUND: sub. Value was: browser_misc"
The script /ubbthreads/feeds/rss.php isn't a standard ubbthreads script, is it?

You can manually add new params to the validation script. Have a look at the readme.txt for further instructions on how to do this.

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
[]dont said:
Will any of these work with 6.1.1? [/]

I haven't tested this mod with 6.1.1, because neither I or any of my clients are still using that version.
You could try to use the instructions for 6.3.2, but I can't promise that it will work.

Joined: Jul 2001
Posts: 808
Coder
Coder
Joined: Jul 2001
Posts: 808
If I try to rename a forum in the control panel I get this error:

Warning: preg_match() expects parameter 2 to be string, array given in /home/.../ubbthreads/Validate.php on line 320

Warning: htmlentities() expects parameter 1 to be string, array given in /home/.../ubbthreads/Validate.php on line 301

We cannot proceed.
This page has been called with an invalid option.
The execution has been aborted for security reasons.

Further information:

Name of option: forum
Value of option:
Expected data type: alphanum
Name of the script: /ubbthreads/admin/doforummanage.php
Current time: 10.07.2005 19:38

Please contact us if you think that all options are correct. You might have found a bug in our software.

Please use your back button to return to the previous page.

Joined: Dec 2000
Posts: 1,471
Addict
Addict
Offline
Joined: Dec 2000
Posts: 1,471
Can you put a php script on your server and just do this in it:

echo $_SERVER["PATH_TRANSLATED"];

Seems that this variable isn't filled correctly in your environment. Or send a link to your phpinfo site via pm/mail.

Joined: May 1999
Posts: 4
Newbie
Newbie
Offline
Joined: May 1999
Posts: 4
Check you dont have a 'special character' in one of the external lists such as your bad word list as well.

Joined: Jul 2001
Posts: 808
Coder
Coder
Joined: Jul 2001
Posts: 808
[]Astaran said:
Can you put a php script on your server and just do this in it: echo $_SERVER["PATH_TRANSLATED"];[/]

I try it but get a blank page as output. I run on a ZEUS Webserver, no Apache. I can send you phpinfo to PM if you like.

Joined: Jul 2001
Posts: 808
Coder
Coder
Joined: Jul 2001
Posts: 808
[]peterhd said:
Check you dont have a 'special character' in one of the external lists such as your bad word list as well. [/]

which list excactly? I cant remember to change anything like this. Where I should look too ?

Joined: Mar 2000
Posts: 21,079
Likes: 3
I type Like navaho
I type Like navaho
Joined: Mar 2000
Posts: 21,079
Likes: 3
your censored word list, reserved names list, etc.


- Allen wavey
- What Drives You?
Page 1 of 2 1 2

Link Copied to Clipboard
Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with and recommend the following Web Hosts:
Stable Host
bluehost
InterServer
Visit us on Facebook
Member Spotlight
Bill B
Bill B
Issaquah, WA
Posts: 87
Joined: December 2001
Forum Statistics
Forums63
Topics37,573
Posts293,925
Members13,849
Most Online5,166
Sep 15th, 2019
Today's Statistics
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
Top Posters
AllenAyres 21,079
JoshPet 10,369
LK 7,394
Lord Dexter 6,708
Gizmo 5,833
Greg Hard 4,625
Top Posters(30 Days)
Top Likes Received
isaac 82
Gizmo 20
Brett 7
WebGuy 2
Morgan 2
Top Likes Received (30 Days)
None yet
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2024 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20221218)