The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpbb 2.0.16 released

Discussion in 'cPanel Developers' started by dropby23, Jun 28, 2005.

  1. dropby23

    dropby23 Well-Known Member

    Joined:
    Jan 16, 2005
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
  2. Shinichi Kato

    Shinichi Kato Well-Known Member

    Joined:
    Mar 7, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Saitama-ken,japan
    Not Fetching phpBB!!

    I installed WHM today. However, the installation was not done at the following.
    A description the same about 100 times or more has already been seen.
    What should I be going to do in the future? :confused:

    Fetching http://httpupdate.cpanel.net/cpanelsync/addons/scripts/phpBB/.cpanelsync.lock....Trying httpupdate.cpanel.net @ 69.90.250.35
    ...100%......Done
    The update server is currently updating its files.
    It may take up to 30 minutes before access can be obtained.
    Waiting 30 seconds for access to the update server......
    .................................................................................................................................................................................................................................................................................Checking again....
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Please post on-topic in a thread, yours has nothing to do with phpBB.

    dropby23, you need to log an enhancement request in bugzilla to bring this to cPanel's attention.
     
  4. raikd

    raikd Member

    Joined:
    Jun 25, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    phpBB upgrade?

    When will phpBB 2.0.16 be available for upgrade through cpanelX? anyclue ?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    What's your bugzilla entry number as I mentioned above? If you post it then people can vote for it. If you haven't bothered logging one, then it'll only take longer.
     
  6. Bloory

    Bloory Active Member

    Joined:
    Aug 22, 2002
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    I notice of the various third party script installers only Installatron has updated already.
     
  7. networxhosting

    networxhosting Well-Known Member
    PartnerNOC

    Joined:
    Apr 22, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hamilton, Ontario, CANADA
  8. LP-Trel

    LP-Trel Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nirvana
    This installer will be deployed asap. We like to make sure they actually work without error before pushing them out though. ;)
     
  9. dropby23

    dropby23 Well-Known Member

    Joined:
    Jan 16, 2005
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    i see phpbb remote execuation exploits everywhere this will be bad for too much hosting companies
     
  10. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
    Every major php application has its exploits... I don't recall seeing any yet that are not exploitable sooner or later.

    Alan
     
  11. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Does anyone know of a mod_security entry that will defend against this exploit?

    Mike
     
  12. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    I just had one server get hit;

    http://isc.sans.org/

    I suggest no one wait for the cpanel version....Who knows...maybe its a planned attack with the long weekend...If the installer could be done today, would be great. In the mean time, here is the fix;

    http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011


    phpBB Highlight Vulnerability Re-introduced
    We've had some folks writing in regarding snort signatures for the new phpBB vulnerability.
    This vulnerability is an accidental re-introduction of the same bug
    that existed in phpBB earlier than 2.0.11 and was (apparently) accidentally
    reintroduced during work between 2.0.14 and 2.0.15. Existing snort
    signatures {sourcefire sid:2229 and bleeding-snort sids:2001457, 2001557,
    2001604, and 2001605} will detect the common exploits.

    Also, a more generic treatment of this vulnerability is as follows:

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (sid:2005063001; rev:1; \
    msg:"[ISC] possible phpBB <= 2.0.15 code injection"; \
    flow:to_server,established; \
    uricontent:"viewtopic.php|3f|"; nocase; \
    pcre:"/[?&]highlight=(.\.|%27%2E|%2527%252E)\S+\(/iU"; \
    classtype:misc-attack; )

    One Final Note: This is the bug that allowed Santy.A to work.
     
    #12 easyhoster1, Jul 1, 2005
    Last edited: Jul 1, 2005
  13. cPanelBilly

    cPanelBilly Guest

    The new installer is up and out already.
     
  14. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    Excellent....Thank you Billy :D
     
  15. mike25

    mike25 Well-Known Member

    Joined:
    Aug 29, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Raleigh NC, USA
    So how does one force the upgrade of all phpBB installations on a server? I have many 100 diffrenet sites running phpBB, and can not do them all by hand. Is this somthing the fantatastico people should do, or does someone have some shellcode that will work ?
     
  16. coffee23

    coffee23 Active Member

    Joined:
    Nov 13, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    #16 coffee23, Jul 2, 2005
    Last edited: Jul 2, 2005
  17. mike25

    mike25 Well-Known Member

    Joined:
    Aug 29, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Raleigh NC, USA
    No not really. I guess I should write my own find and replace script for these type of situations. I just wish that the phpBB people would release an upgrade script that would do just that also. so today i would not have to do a locate viewtopic.php and then replace the code by hand over and over again. This is a pretty serious hole and there is alot of expolit code already out there for remote command execution and DOS. my mod_security log is filled with blocked attempts but a few others seem to have gotten through.
     
  18. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It entirely depends on how they were installed. If they were installed through cPanel, then in WHM you can install the Addon Module > Addon Script Manager, and then forcably upgrade all the installations. If you installed them using fantastico, then you would have to have your users upgrade the installations through fantastico itself. If they were installed by hand, then the user will have to upgrade them by hand.
     
  19. dropby23

    dropby23 Well-Known Member

    Joined:
    Jan 16, 2005
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    are there any mod_security rules for that exploit
     
  20. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    There is a script out that should help;


    http://www.webhostingtalk.com/showthread.php?s=&threadid=420888
     

Share This Page