Security vulnerability: phpBB

[Planet_Master]

SQL injection in phpBB

Description:
The remote host is running a version of phpBB older than 2.0.7. There is a flaw in the remote software which may allow anyone to inject arbitrary SQL commands, which may in turn be used to gain administrative access on the remote host or to obtain the MD5 hash of the password of any user.

Solution : Upgrade to the latest version of this software
Risk Factor : Serious

Had problems on my server with customers using old versions of this software, good thing I caught the problem quickly and had them all update their boards. Suggest you ask your customers to do the same if running versions older then 2.0.7

[hot_wired13]

yay, something for me to exploit...
/me goes off and hacks many many many webhosts... *evil laugh*

[LP-Trel]

There is no 2.0.7, 2.0.6 is the latest...

[Planet_Master]

2.0.6 has been updated with the fixes just redownload this version and overwrite your files. Make sure you save the database config file and you will lose any hacks you may have installed.

[SarcNBit]

The changelog mentions a somewhat auspiciously timed update of phpBB to 2.0.10a. I am curious to know if this update includes this change.

BTW, 2.0.11 has been released which includes the above linked security fix as well as a few other updates.

[EdRooney]

What is the exploit for this?

Is it possible to block it with mod_security?

[dezignguy]

umm, why not just fix the security problem in the first place? Instead of trying to keep people from using the exploit? Seems like a band-aid fix to me.

[dgbaker]

Agree, it literally takes 5 minutes to update to the lastest, never ever compromise or "quick fix" when it comes to security.

[jamesbond]

Agree, it literally takes 5 minutes to update to the lastest, never ever compromise or "quick fix" when it comes to security.

How do you upgrade phpbb forums using tons of mods in 5 minutes though?

[dgbaker]

You are right, with regards to mods, but that holds true for any upgrade of any software. The 5 minute upgrade is for upgrading phpBB standard files and information, any mods would have to be redone again. You should though at the very least do the viewtopic fix as noted on their forum.

[jamesbond]

You are right, with regards to mods, but that holds true for any upgrade of any software. The 5 minute upgrade is for upgrading phpBB standard files and information, any mods would have to be redone again. You should though at the very least do the viewtopic fix as noted on their forum.

Yup, I did the viewtopic fix yesterday. From what I understand it is the only critical issue. The other issues that are fixed in 2.0.11 seem less serious.

I'll do the upgrades to 2.0.11 when I have time since it will take a while to reinstall all the mods.

[EdRooney]

umm, why not just fix the security problem in the first place? Instead of trying to keep people from using the exploit? Seems like a band-aid fix to me.

Do you have to fix it on each account that is using it?

How do I know who is using it?

If I have 1,000 people using it would take over 10 days to fix assuming there was nothing else to do during those days.

[dgbaker]

Do a locate for viewtopic.php, that will tell you how many need to be possibly updated. Then you can either change them one each or replace all of them with a patched one.

I would not risk my servers and business to avoid extra work, unfortunatly this is part of having and running a business. You sometimes have to do a lot of extra work.

[EdRooney]

# locate viewtopic.php | wc -l
179
times 50 servers
about 44750 minutes or 34 business days

[dgbaker]

# locate viewtopic.php | wc -l
179
times 50 servers
about 44750 minutes or 34 business days

So, by those numbers, you mean to tell me you have 8900+ clients and you do not have staff that manage the servers? Or an automated process for mass updates? How do think EV1 and the likes do it? They either mass automate or they do each server with a script. This is actually less effort than running easyapache is. Write a simple shell script that does locate and replaces with a patched one. It would take you only a few minutes to write the script.

But hey, it's your server and clients that get screwed, so it's all up to you how you do it or don't do it.