Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

insecure phpBB scripts

Discussion in 'General Discussion' started by jroes, May 8, 2005.

  1. jroes

    jroes Member

    Feb 9, 2005
    Likes Received:
    Trophy Points:
    Insecure phpBB scripts wreak havoc on the servers I administer, allowing users to upload malicious scripts and in general cause trouble. I am currently working to implement a solution to keeping all phpBB installations on a webserver up to date, in order to prevent attacks.

    I have written a python script that finds all old viewtopic.php scripts so far. More will come soon.

    I just wanted to post my progress here for two reasons:
    1) Share something that might be useful to others
    2) Find out if I'm reinventing the wheel

    I intend to find a way to automatically update each script encountered that is old using the patch method, however, some installations are almost certainly further back than 1 version.

    Any comments, suggestions, whatever are appreciated.

    # looks for old phpBB installations
    # author:
    # this is public domain - do whatever you want with it
    import os
    import string
    # 2.0.15
    latest_phpbb = "Id.*1\\.186\\.2\\.41"
    # 2.0.14
    # latest_phpbb = "Id.*1\\.186\\.2\\.40"
    # get the list of viewtopic.phps
    filenames = os.popen("slocate viewtopic.php")
    nobody_uid = int(os.popen("grep nobody /etc/passwd").read().split(":")[2])
    nobody_gid = int(os.popen("grep nobody /etc/passwd").read().split(":")[3])
    os.setgid(nobody_gid) # need to be nobody group too
    os.setuid(nobody_uid) # we are now nobody
    for filename in filenames:
            filename = filename[:-1] # remove newline from filename
            parentdir = filename.split("/")[:-1]
            parentdir = "/".join(parentdir)
            print "Found possible phpBB install at", repr(filename) + ", checking if accessible...",
            if not os.access(parentdir, os.X_OK): # we can't get to the parent directory
                    print "parent directory not accessible."
            elif not os.access(filename, os.R_OK):
                    print "file not accessible."
                    print "accessible; checking for latest version...",
                    found = os.popen("grep " + latest_phpbb + " " + filename)
                    if not # we didn't find the correct version
                            print "INSECURE!"
                            print "latest version"

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice