The phpbb web worm is a great feat, perpetrated by two wholesome groups: the hackers who found the hole, and the hackers who built the software with the hole in it.
Now, phpbb is an easily setup board, or 'forum', that enables even your grandmother to have 'instant community' as vbulletin so often likes to put it. 'instant community?', you might be wondering, well yes, that's how easy it is -- to get hacked by an instant community of nefarious intelligentsia.
Now don't you be worried if your forum has very very low traffic or is just setup on a directory on your website that no one knows about -- since gorgeous google is used to plunder the net for sites. Finding security holes with search engines is nothing new, people have been doing it for years. But what is grand is that this worm contacts google directly -- automatically -- with an automated request to find other sites that run phpbb.
This is all achieved because of programmer ego inflation which demands a copyright and version notice of the forum software running your forum. Forget about the niggling fact that running a useful forum is much much more than just paying your 12-yo neighbor five bucks to install some half-assed software on your site. Btw, if you think vbulletin is exempt just because you paid them your life savings to run their junk, think again bucko; vbulletin has gone to the extreme of suing people who do not comply with the demand of displaying their copyright notice which includes the software version number.
The sheer idiocy of displaying your software name and version on a publically accessible site is mind bogglingly retarded, and it sparks discussions of security from obscurity which spin even the mountains of parnassus into an abstracted discussion which bears no fruit. I bear fruit, and orchards of it.
Hiding your software name and version might not make you secure, but it sure saves you from automated search engine queries that play hunt for the hole. Hacking sites by using the wide reach of search engines on mainstream sites, just to deface them, by using known exploits is not cool. Why not? Because you're dumb, you're just hitting as much as you can without any neat tricks. Smacking the doll with a heavy backhand is not as cool as pouring acid on her head drip by drip.
Oh and btw, I have a solution if you're worried about being sued for not displaying software name and version number. Make it a graphic and then it cannot be exploited by searching search engines, at least not in 2004 and most likely not in 2005 either. Here's another solution: don't follow the mainstream and do what everyone else is doing, don't run what everyone else is running. This has the benefit of making you smarter, and the drawback of more work. I understand people sometimes just need to run phpbb or vbulletin or ipb (invision power board). I also understand that without going to some lengths to secure your install, you are shit out of luck. Oh and backups are useful too, while I'm doing the standard routine of slapping you with a big ol' trip of mea maxima culpa.
zdnet is talking about something like 40,000 sites hit by this worm. They find this out by doing a search for the phrase NeverEverNoSanity which thankfully the worm writes to the defaced site. Now of course relying on the number of hits that a search engine gives you to estimate this is not valid, given that the more that people write those words on their page as they talk about this 'event', the less the statement will be true, since their pages also get added to search engine indices, which inflates the number of hits returned.
From that zdnet article: "After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm."
Security experts complain that google should not serve results that include software version numbers or other giveaways. Here's the only fucking problem with that ridiculous statement: it's not feasible. Who decides what should be censored? Whoever runs the fucking engine (reality biting you in the ass). It may not be the best thing in terms of 'freedom of information' but it IS reality. Whoever controls the spice, controls your life. If you can get a group of hicks together to convince our overl0rdz at google that yeah, they should censor 'britney spears', 'paris hilton', and 'dog sex', then yes, I'm with you all the way, since they're all equivalent. Oh hell, add ron legrand too. Thanks. But if you can't, well, too bad I guess. Try and make yourself less of a target. google is bad enough. imagine if web results became censored by an authority, for our own 'security enhancements'. Imagine the doublespeak. It would make Microsoft's new 'Palladium - A New Security Initiative' look like straight talk from your gramps.
Remember that this is a perfect instance of going down with a popular ship, be it vbulletin, ipb, phpbb, or the titanic.
phpbb that fixes this exploit was issued on 'phpBB 2.0.11 :: 18th November 2004'. Notice how the worm took off one month after this! That's because people don't upgrade their webapp software often -- and I DONT BLAME THEM, as most webapps are poorly made, and as all users know, UPGRADES BREAK THINGS. what a fucking misnomer.
Spreading the phpbb worm is done with this hole.
The zdnet article is full of shit and so is zdnet. I just received this link so I used it as one of my sources. Do not believe everything you read, and not at least half of what you read there.
Cert issues an advisory, after we've known about this hole for a month, but only after the worm starts making its rounds.
This thread on phpbb.com is interesting because it shows the exact hole used in the exploit; they dont strip enough, or do enough sanity checking on the variable given in their highlight request. A highlighting feature was probably tacked on at the last minute so that they could compete with the featuritis that is vbulletin.
PHP has also recently had some serious exploits come to the surface, luckily this is probably less easily exploited by finding security holes with search engines.
Release information for phpbb 2.0.11 in the phbb forum.
From the phpbb changelog of issue 2.0.11, released nov 18, 2004:
l.i. Changes since 2.0.10 Fixed vulnerability in highlighting code (very high severity, please update your installation as soon as possible) Fixed unsetting global vars - Matt Kavanagh Fixed XSS vulnerability in username handling - AnthraX101 Fixed not confirmed sql injection in username handling - warmth Added check for empty topic id in topic_review function Added visual confirmation mod to code base