PHP Exploit Enables Theft of phpBB Passwords

A published exploit demonstrates how to use new security holes in PHP to steal database passwords for the popular phpBB bulletin board program. The release of a working exploit on Friday, just two days after the flaws were announced, provides additional incentive for web hosts to upgrade to secure new versions of PHP.

The phpBB development team has notified users of the exploit, which was published on the BugTraq mailing list and several web sites. "This is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions," the phpBB advisory said, urging users and hosting providers to upgrade their PHP installations. Similar advice is being offered by the PHP project site, which has fixed the bugs in versions 4.3.10 and 5.0.3.

PHP, an open source server-side scripting language, is widely used to power web applications that connect with databases such as MySQL, and is commonly bunded with shared hosting accounts offered by web hosting providers. phpBB is among the web's most popular bulletin board programs, with more than 156,000 registered members of its user forum.

The phpBB exploit targets flaws in the way PHP stores path information and decodes stored data with the unserialize function. An attacker can use these weaknesses to craft a cookie-and-code combo that can access phpBB's configuration file and retrieve the username and password of the application's MySQL database.

Similar flaws could affect other popular web applications, including the Invision Power Board, vBulletin and PHPAds(New), which all use the unserialize function to access data stored in a cookie, according to Stefan Esser of The Hardened PHP Project, which released the initial advisory Thursday.

The Hardened-PHP project, which creates patches to enhance the security of PHP, is not going to release exploits. But Esser said exploits were not exceptionally difficult to create for users with a strong knowledge of PHP. Several security-oriented web sites are offering tips to secure PHP on a web server.