phpBB Upgrade - Server Wide - WHM Global Upgrade Needed!

[peterquast]

phpBB Upgrade - Server Wide - WHM Global Upgrade Needed!

Ok, we have hundred accounts on a server, they ALL use phpBB...

The OLD version that they are ALL using is NOT SECURE...

If each client logs into their Control Panel, they will be prompted to CLICK A BUTTON to upgrade...

WHAT we need is a function in WHM to UPGRADE ALL of them with one touch of button PLEASE

Otherwise, my server is NOT SECURE until every single client goes and upgrades each board.

HELP!!!

[jester.ro]

But there is such a thing.

It's called "addon script manager"
Last link in the left frame of WHM

But you have to have a new version of cpanel/WHM
Latest STABLE has it

[easyhoster1]

But there is such a thing.

It's called "addon script manager"
Last link in the left frame of WHM

But you have to have a new version of cpanel/WHM
Latest STABLE has it

Still 404 on FREEBSD users??

[peterquast]

Here is what i am using, and i dont see that link ?

WHM 9.9.8 cPanel 9.9.8-E142
RedHat 9 i686 - WHM X v3.1.

[peterquast]

Sorry, ignore me

Thanks for the heads up on that function... i really appreciate it.

[easyhoster1]

Here is what i am using, and i dont see that link ?

WHM 9.9.8 cPanel 9.9.8-E142
RedHat 9 i686 - WHM X v3.1.

Did you install the script in addon moduels?

Name: addonupdates
Author: cPanel Inc.
Installed Version: 0.2
Version: 0.2
Description: Addon Script Manager/Updater !!BETA!!
Price: free

[Dillard]

Still 404 on FREEBSD users??

As it seems here we can't get this to work on FreeBSD (page not found)

[Stobe]

I've got the latest version of Cpanel installed, and I used the addon update script. But it only found 2 installations of phpbb (which I know is way off) when I click on f"Find Installations".

Any ideas why?

When I log into cpanel on a domain that has a phpbb installed, it will only allow me to "Click here to update to 2.0.8"

??

Thanks,
Stobe

[haze]

Not sure why its not showing any more users if they've installed it via cpanel. But what worries me more is that it says "Click here to upgrade to 2.0.8" when that version is vulnerable. Are you using a 3rd party installer ? Or do you have the option to install and keep updated phpBB via "addon scripts" under the cpanel menu heading in WHM ? If not, you will need to rely on whatever 3rd party you are using to get the updated scripts and perhaps provide you with a means for mass updating.

Perhaps you might just need a good old /scripts/upcp ?

[fusioncroc]

if your planning on fixing the recent worm exploit just do the following commands

mkdir phpbb
cd phpbb
pico wormfix.pl
---------------- paste this code --------------------------------
#!/bin/sh
for i in `locate viewtopic.php`
do
if grep "htmlspecialchars(urldecode" $i > /dev/null; then
echo $i >> vulnerable_phpbbs
/usr/bin/replace 'trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));' 'trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));' -- $i
fi
done
----------------------------------------------------------------------
then do perl wormfix.pl

and it will fix the exploit that makes the worm work
also if you upgrade to php 4.3.10 and have wget chmod'ed to 750 and run mod security
then you will have a extra layer of security

btw i've ran this script on 5 servers and another host has used the script to fix 15 servers +
but use it at your own risk

[cyon]

Thank you very much!!
I run it and it seems to work fine.
But if there is a foldername with a whitespace in it this error occurs:

grep: /home/username/public_html/folderwith: No such file or directory
grep: whitespace/board/viewtopic.php: No such file or directory

[haze]

Hrm.. im not much of a programmer ( not at all actually )

But, and i can't guarantee this won't do something evil or if it will work at all, however the $i in:

Code:

/usr/bin/replace 'trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));' 'trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));' -- $i

You might be able to rap it in ""'s so it looks like:

Code:

/usr/bin/replace 'trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));' 'trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));' -- "$i"

Darn those windows ppl and their white spaces!!

[dezignguy]

FYI, That wasn't the only vulnerability fixed in phpbb 2.0.11, so while your fix might fix this worm going around now... your phpbb installs will still be vulnerable to several other possible exploits. Phpbb says it's highly recommended to just update completely to 2.0.11.

[Dillard]

FYI, That wasn't the only vulnerability fixed in phpbb 2.0.11, so while your fix might fix this worm going around now... your phpbb installs will still be vulnerable to several other possible exploits. Phpbb says it's highly recommended to just update completely to 2.0.11.

We know, but since the update script doesn't work and I have tens of installations on some servers this is a nice shortcut to disable the worm.

BTW. For FreeBSD I modified the script to this:

Code:

schubert# cat wormfix.pl
#!/bin/sh
for i in `find /home -name viewtopic.php`
do
if grep "htmlspecialchars(urldecode" $i > /dev/null; then
echo $i >> vulnerable_phpbbs
/usr/local/bin/replace 'trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));' 'trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));' -- $i
fi
done

[premsai]

Hi fusioncroc, thank you for the script .. but it seems to have some issues with escape characters. I have made neccessory modifications.

U may try this..
++++++++++++
#!/bin/sh
for i in `locate viewtopic.php`
do
if grep "htmlspecialchars(urldecode" $i > /dev/null; then
echo $i >> vulnerable_phpbbs
/bin/cp -p $i $i.bak.dec-`date +%d`
replace "trim(htmlspecialchars(urldecode(\$HTTP_GET_VARS\['highlight'\]))));" "trim(htmlspecialchars(\$HTTP_GET_VARS['highlight'])));" -- $i
fi
rm -f /tmp/*bot* /tmp/*ssh* /tmp/*wow* /tmp/*.txt*

##Changing the permissions of /usr/bin/wget. This may block fantastico upgrades.
chmod 700 /usr/bin/wget
done
++++++++++++
N'joy