Tag: ModSecurity

Session hijacking: what’s (probably) going on

On: By: Mark

Over the last couple of months I’ve had a number of clients come to me because of mysterious things happening on their forums. Going to a forum they find that they are logged in as someone else and can see things they definitely should not see, such as private messages and forums they don’t have privileges to see. I’ve spent a lot of time trying to figure this out talking to client’s web host support teams and scouting phpbb.com for a solution.

The good news is that this is not due to some deficiencies in phpBB. The bad news is that this is due to the way your web host has configured their servers and it’s affecting phpBB.

phpBB is the #1 forum solution, with something like 70% of the market. But as a percentage of popular software installed on websites, phpBB is tiny, on about 1% of websites. What’s the 800 pound gorilla? It’s WordPress, which runs 27% of websites. So web hosts will meticulously tune their servers to optimize for WordPress, giving short shrift to much of the rest of the open source software out there. Most web hosts now say they are optimized for WordPress and market WordPress-specific hosting. phpBB is being left behind along with lots of other software. Because phpBB gets most of its content from a database to be presented on the fly, more than most open source solutions it is not amenable to static content.

The problem is most acute if you have Bluehost shared hosting. The underlying issue is some software called Varnish, more specifically Varnish HTTP Cache. Varnish helps dynamically driven sites perform more efficiently by caching content in your server’s virtual memory. Web hosts can make more money if they can get more utilization off one one web server. Varnish is one way they keep costs down as it allows them to stuff more websites on one machine.

Varnish is kind of pointless with phpBB since phpBB already has its own cache, which you can find in your forum’s cache folder. Essentially phpBB programs, templates, stylesheets and SQL calls are all compiled into .php programs in the cache folder so they can be executed more quickly. So it’s duplicitous but more importantly interferes with phpBB’s default behavior. So if you have the issue, contact your web host to find if they are using Varnish and if so have them turn it off. As for Bluehost, as of this writing they will tell you they can’t turn it off. You have shared hosting so one size fits all. They will however be happy to move you to their cloud product. Varnish is not installed there, so you won’t be affected. However you may have to pay a higher hosting fee.

It’s unclear if Varnish is the sole cause. Other potential problems may be due to Content Delivery Networks (CDNs). This is most typically CloudFlare, since it is bundled free by most web hosts. CDNs attempt to move content closer to the user by having it fetched from server farms geographically close to the site viewer, thus speeding up page load time. This is usually fine with phpBB since CDNs generally only store static files like images. So a CDN shouldn’t cause issues like this, but if you have a CDN you might want to disable it to see if the problem goes away. Note: the one time you do need to do something with your CDN is when you add a style or significantly change the look of your site. Then it’s a good idea to tell the CDN to delete all its cached content. Otherwise, the experience by end users might be mixed or odd.

I also suspect that ModSecurity may be causing issues like this, but I don’t have enough proof yet. If it is enabled, disabling ModSecurity may make your problem go away. As I blogged recently, disabling ModSecurity in general tends to solve a lot of weird phpBB issues, while it may introduce others by potentially making it easier for your site to propagate malware and viruses.

ModSecurity can cause problems with phpBB

On: By: Mark

If you are noticing weird errors on your phpBB forum which otherwise has been running well for years, ModSecurity may be causing them. I’ve been noticing a lot of issues with phpBB forums lately that have ModSecurity as the root cause.

What is ModSecurity?

It’s a web application firewall, wholly open source. As its name implies, it’s job is to tighten up the security of a web server. Web servers are prominent targets for hackers, of course. ModSecurity was originally written as a module for the Apache web server. It has lots of functions of course but its main job is to prevent hackers from damaging web servers and the websites that reside on them. Started in 2002 for Apache, it now serves all principal web servers on the web, including NGINX and IIS.

How does ModSecurity cause problems with phpBB?

It appears that ModSecurity and phpBB don’t get along very well. These problems may be occurring because the web host added it or turned it on for you and didn’t tell you. ModSecurity can generate various application errors causing the behavior of phpBB to change. In one recent example, when a client tried to click on the Administration Control Panel link, he was redirected to his website homepage instead. Disabling ModSecurity solved his problem.

Here are some other symptoms caused by ModSecurity intercepting and redirecting web traffic that my clients experienced recently:

  • In phpBB 3.2, the Viglink and share forum statistics screen come up in the Administration Control Panel by default after you update to that version. There are checkboxes that allow you to uncheck these. In this case unchecking these and submitting the form generated an unfriendly error message: “Unused” and reported an internal error. This made it impossible to get to the General tab and do things like purge the cache.
  • A forum would not come up at all. Only a white screen appeared. Disabling ModSecurity solved the problem. Note: other issues can cause this, including malware or syntax errors introduced into your forum’s phpBB code.
  • In phpBB’s /cache/production folder, files are created by phpBB with an “autoload_” prefix. These were getting deleted outside of phpBB, triggering PHP warnings. Turning off ModSecurity caused the problem to go away (after purging the cache).

How do I know if I am using ModSecurity?

Administration Control Panel > PHP Information. If your web server is Apache, search for “apache2handler” and look at the loaded modules. Scan for “mod_security” or “mod_security2”. If it’s there, it’s enabled. If you can view your web server error log, scan it for “mod_security”. If you find it, it’s enabled. You can also ask your web host if they have it enabled for your site.

Is it safe to disable ModSecurity?

Perhaps not but you may not be able to have anyone access your forum unless you disable it. Most likely ModSecurity’s rules are not optimally written to accommodate phpBB forums.

Can I disable ModSecurity just inside my forum and leave it enabled on the rest of my website?

Perhaps. Try adding this to the top or bottom your forum’s .htaccess file. If the problem goes away, you are done! (The IIS web server does not use the .htaccess file.)

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

How do I turn off ModSecurity for my domain?

Look in your web host control panel. If there is a security section, there may be a feature there to enable or disable ModSecurity. Disable it if you can find it. You may have to ask your web host.

Malware issues with phpBB

On: By: Mark

As I do work for lots of different clients, I see patterns that others may not. Recently I’ve been seeing frequent malware issues on mostly older phpBB 3.0 forums. Since it’s malware, it’s often hard to know that you have malware. The malware may not be doing anything malicious to your web site, but it is trying to infect the computers of the users of your forum.

Do you have malware?

There is no way to really know if you have malware or not without comparing the version of phpBB you have installed with a reference version. If your forum seems to be operating normally, you will have no reason to check for malware. But if a forum that was recently running optimally now seems slower, particularly when loading pages, this might point to a malware problem. You or users accessing your forum might have antivirus tools installed that may detect malware.

Is phpBB software introducing your malware?

Almost certainly not. Rest assured that the phpBB Group spends considerable time and effort to check software it releases for security issues. In fact, it uses some of the best software available to find potential issues so they don’t occur. So it’s unclear to me how this malware is being introduced, but rest assured it’s not an issue with anything the phpBB group has done.

That said, the phpBB group has improved its security practices over time. One thing that has changed is it is judicious about using PHP eval() statements. They have not all been removed but where they are used they are marked as exceptions in the code. PHP eval() statements are dangerous because any code placed inside the parentheses is evaluated and executed. Since you don’t know what the code will be in advance, any use of eval() introduces a potential vulnerability to phpBB.

How is malware getting on a forum?

It’s hard to say definitively how this malware is getting introduced. Most likely it is being introduced by wrong permissions on phpBB folders and files. In phpBB only the files, images/avatars/upload and store folders should be publicly writable (0777 permissions). It’s critically important to make sure that your forum’s config.php file is not publicly writeable. You can use tools like your web host’s File Manager or an FTP program like Filezilla to check your folder and file permissions and correct as necessary.

Malware could also be introduced by sloppy server management by your web host.

Possible malware symptoms

If your forum comes to a halt rather unexpectedly, malware may be the cause. For example if you cannot login and you were previously able to login, this may be due to malware. What I often see are HTTP 500 (Application errors) reported. HTTP errors are usually written to a log. Sometimes you will find that your web server puts a file named error_log in your phpBB root folder, or in your web root folder. Examine the error log at the time the error occurred and see if there are any messages. In particular if there is an error message saying a PHP eval() statement failed, this may point to a malware issue.

How do I know if my forum’s files have malware?

As I mentioned, the only way to know for sure is to compare your forum’s files with a phpBB reference. I usually find malware at the top of certain or all .php files. You can use these procedures. This is obviously a lot of work. If you prefer, I can do this and fix most issues found for 1-2 hours of labor ($30 – $60). Contact me.

  1. Determine the version of phpBB you are using. If you can get into your Administration Control Panel, it will show the phpBB version on the main screen. If you can’t this SQL query using a tool like phpMyAdmin will tell you. You must be in the database containing your forum. If you are unsure what the name of the database is, you can see it in your config.php file. On the SQL tab execute paste the following SQL. (Change the table suffix if necessary to what you are using):
    select config_value from phpbb_config where config_name = ‘version’;
  2. Download a copy of the official version of phpBB that you have installed and expand the archive. All versions can be found here. For phpBB 3.0, you can also find it here.
  3. Install a tool that can compare files and directories. If you are using Windows, WinMerge is an obvious choice. For the Mac, if you know Unix there is the Unix diff command but it’s not easy to use. For Mac or Linux, I recommend kdiff3 which is also available for Windows and most Unix variants.
  4. Use FTP to download your phpBB forum files to your local computer. Keep it in its own directory. Note: this can be quite time consuming particularly if you allow users to upload files and images. You might want to skip downloading the files, images and cache folders.
  5. Compare your phpBB programs with the referenced version. If introduced, malware it is most likely in .php files, but could possible be in .html or .js files too. The tool will highlight files and folders with differences. Malware is most likely to be seen at the top of the file probably inside of a long PHP eval() statement. They should stick out like sore thumbs as the malware code will look odd and different. Note: some differences could be due to installing phpBB 3.0 modifications.  phpBB 3.0 modifications work by changing phpBB’s source files.
  6. Upload clean versions of uninfected files from your reference, Make sure you are replacing the old programs. Note: if there is malware in config.php remove it manually using the File Manager’s edit function. You want to preserve the lines that are critical to integration of the database.
  7. If most files are infected, you might want to replace all the files. If you do this:
    1. Backup your files and the database just in case.
    2. Do not replace the config.php file, but edit as in Step 6.
    3. If you see no malware in the style folder, don’t upload that as it’s unnecessary and you may overwrite changes made to your style for your logo, unique colors, etc. If you have to remove malware from a style folder, it’s best to do it carefully and edit out the malware on a file-by-file basis.
    4. Do not remove valid files such as uploaded images and documents in the files and images folders.
    5. If you are using phpBB 3.0 and have modifications installed, you will have to edit any files that the mod changes to regain the functionality of the mods. The install.xml file for the mod should detail all the file changes needed. You should also be able to see these changes using your file difference program.
  8. Run and test phpBB. Everything should behave normally.

Preventing malware

  1. Make sure your forum’s file and folder permissions are set correctly. See above.
  2. Upgrade or update your forum to the latest version of phpBB.
  3. Make a practice of updating your forum soon after new releases of phpBB are announced. Releases contain fixes for any security issues found.
  4. Many web hosts offer Apache ModSecurity that can be enabled in the web host control panel. Sometimes it is enabled by default. While enabling ModSecurity can prevent a lot of problems, my experience is that phpBB and ModSecurity don’t work well together. It may introduce its own HTTP 500 errors. You can try enabling it and see if it doesn’t cause issues. Disable it or add code to your forum’s .htaccess file to disable inside your forum if issues occur.