Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:32308
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <5D.B1.18959.AAC29E64@pb1.pair.com>
To: internals@lists.php.net
Date: Thu, 13 Sep 2007 14:27:19 +0200
User-Agent: Thunderbird 2.0.0.6 (X11/20070804)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: So called exploitable code found in UseBB 1 by Ilia
From: dietrich.moerman@telenet.be (Dietrich Moerman)

Hello all,

Since this is the first time I am posting to this list, let me first 
introduce myself. I am Dietrich Moerman, a computer science student from 
Belgium (that's the small country known for its chocolates ;)). In my 
free time, I develop the UseBB forum package. Version 1, written in PHP 
4, has been developed and available since early 2004, while version 2 
(object-oriented PHP 5.2) is currently under development. Especially the 
last few years, I have been very aware about security and performance 
problems, also thanks to Ilia Alshanetsky's talks available at his website.

However, recently we have been plagued by a few false reports spread 
about so called "vulnerabilities" in UseBB 1. Announcements have been 
made to explain the exact situation and to recover from the damage being 
done as much as possible. But... what I have found yesterday beats it all.

A recent talk from Ilia about PHP security pitfalls 
(http://ilia.ws/files/phptek2007_secpitfalls.pdf) mentions "useBB" 
(wrong capitalization, btw) containing exploitable code. The "offending" 
code was found using Google Code Search and used to demonstrate SQL 
injection in PHP.

First, let me clearly state that there are at this time no known 
vulnerabilities or exploitable code in UseBB 1. The code which is said 
to be exploitable is not exploitable at all. Ilia failed to check the 
code for security measures, if he did he should have noticed that the 
GET variable can only contain strings with pure integer values ($string 
== strval(intval($string))). Next to this, all input variables (GET, 
POST, COOKIE) should be safe against SQL injection.

Second, if Ilia was convinced he had found a security issue in UseBB 1, 
why did he not contact us about it? I thought it was common sense that 
the first thing you do when having found an issue is contacting the 
developers and awaiting a fix, before releasing any public information.

So, why am I posting this? Mainly to recover from any damage being done. 
I know PHPTek 2007 is visited by lots of capable PHP developers, some of 
them who also read php.internals, and many (if not all) of them have 
been falsely informed about UseBB being a forum system of which the 
developer(s) don't care about security and have their code full of SQL 
injection possibilities. Only the exact opposite is true.

I also question myself whether it is a good idea to just pick random 
vulnerable code found using Google code search and place it in much read 
talks about security on a public website without contacting any 
developer or awaiting any fix. I know PHP has a bad reputation 
concerning security, mostly because of the many badly written 
applications, but randomly putting projects in a bad daylight because of 
some "this looks like vulnerable" code won't help that much, in the 
contrary.

So, if there are any PHP developers in here who have been badly informed 
about UseBB, I can only hope their vision about our project will be 
adjusted. And if any other people here tend to write talks about 
security containing example pieces of code from real Open Source 
projects, first do some research and if necessary contact the 
developer(s), or else just leave the name of the project out.

Regards,
Dietrich Moerman
UseBB Developer
Student Computer Science
http://dmoerman.be