The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpBB Alert 2-28-05

Discussion in 'General Discussion' started by DigiCrime, Feb 28, 2005.

  1. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    http://www.k-otik.com/english/advisories/2005/0212

    Went to look at their site but its down right now, might be to high traffic or even worse they got hacked. Either way phpBB has had a bad run of luck lately.. They just released an update last monday, I havent yet checked to see what they have release yet but will look soon as their site comes up.
     
  2. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    Thats what i am getting from there site :


    K-OTik Security Advisory : KOTIK/ADV-2005-0212
    CVE Reference : GENERIC-MAP-NOMATCH
    Rated as : High
    Remotely Exploitable : Yes
    Locally Exploitable : Yes
    Release Date : 2005-02-28

    * Technical Description *

    Two vulnerabilities were reported in phpBB, which may be exploited by attackers to determine the installation path or bypass certain security features. The first problem resides in the "autologinid" (includes/sessions.php) variable and could be exploited by malicious users to gain administrator rights. The second flaw resides in the "viewtopic.php" script, and could be exploited to disclose the webroot path.

    * Affected Products *

    phpBB version 2.0.12 and prior

    * Solution *

    phpBB version 2.0.13 :
    http://www.phpbb.com/downloads.php

    * References *

    http://www.k-otik.com/english/advisories/2005/0212
    http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
     
  3. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    and this is what phpbb has to say:


    phpBB Group announces the release of phpBB 2.0.13, the "Beware of the furries" edition. This release addresses two recent security exploits, one of them critical. They were reported a few days after .12 was released and no one is more annoyed than us, having to release a new version in such a short period of time.
    Fortunately both fixes are easy and in each case just one line needs to be edited.

    The first issue is critical (session handling allowing everyone gaining administrator rights) and we urge you to fix it on your forums as soon as possible:

    Open includes/sessions.php

    Find:
    Code:
    if( $sessiondata['autologinid'] == $auto_login_key )

    Replace with:
    Code:
    if( $sessiondata['autologinid'] === $auto_login_key )



    A second minor issue reported to bugtraq several days ago was the path disclosure bug in viewtopic.php which got fixed by applying the following steps:

    Open viewtopic.php

    Find:
    Code:
    $message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

    Replace with:
    Code:
    $message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));



    As with all new releases we urge you to upgrade as soon as possible. You can of course find this download available on our downloads page. As per usual three packages are available to simplify your upgrade.
     
  4. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    I meant phpBB site, not the advisory sorry :cool: I did finally reach phpBB site.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Did you report this to cPanel?
     
  6. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    Yeppers :cool:
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I wonder how much longer cPanel are going to offer phpBB as an addon ;)
     
  8. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    what other free options would there be ? not very much to choose from,
    and fantastico will be having the same problems as well, actually just let them know too
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Dunno either. I guess it's the nature of the beast. Because you have a large community of disparate people using one tool to communicate with each other makes it a prime target for people who like to look for these things. Sorry, drifting from the point of the thread. Just seems to be phpBB's unlucky few months.
     
  10. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    There has got to be aboot 20 or so free forum warez. Eblah is decent. I never understood why everyone needs phpBB?

    Then there is also the option of whipping out your wallet and paying for something. :gasp:
     
  11. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    Where there is free, that will always prevail no matter.. just a given.

    how hard is it to actually create a package anyway so we dont have to wait on Cpanel? I havent actually tried it yet but it cant be that hard. :confused:
     
  12. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Look at software like php-nuke. Nearly every single version ever released has been discovered to have serious security flaws and tons of people still use that.

    phpBB is very good, but remember, the code base is old. people were bound to find issues in the code eventually. Considering how old the 2.0.x codebase is, it is rather surprising that more issues weren't uncovered sooner.

    Can anyone think of a major opensource scripting project that hasn't had to be patched due to potential security issues? I can't.

    The recent issues just underscore the importance of something many users forget. If you are going to use a script, you need to keep up with updates. It's not good enough to install Super Cool Script 1.0 and never upgrade it, someone will eventually find a way to exploit the script.
     
  13. HH-Steven

    HH-Steven Well-Known Member

    Joined:
    Aug 29, 2004
    Messages:
    284
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Please mind your language, people on here could take offence to that :D


    The real problem is that whatever security measures people introduce, there will always be people trying to "hack" round them, its a shame but its a fact of life.

    As mentioned, its phpbb's unlucky few months.
     
  14. cPanelBilly

    cPanelBilly Guest

    the scriptinstaller now has 2.0.13 in everything but stable due to the new update system that has not made it out.
     
  15. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    Cool Thanks :)
     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    For those wanting to update without running upcp you can do:

    /usr/local/cpanel/whostmgr/bin/whostmgr2 --updateaddons

    And then run the Addon Script Manager ;)
     
  17. cPanelBilly

    cPanelBilly Guest

    In WHM you can go to the Addon Scripts and then hit save and it will also update all those with available updates.
     
  18. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Has anyone here had any dealings with custom phpBB's and clients complaining about the updater wrecking their forums?. I just ran it on about 6 sites from 11 to 12 to 13 over the last few days. On the forums that were stock it looked the same when loaded again after the upgrade. I found a few that had custom themes and custom images installed and one of those which I actually run the site I went ahead and took a chance and it still looks fine after the upgrade. I am wondering what we KNOW will be overwritten as far as basic look and feel and things of that nature?
     
  19. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    If you upgrade it for them using the addon updater it does overwrite their modifications or hacks
     
  20. cPanelBilly

    cPanelBilly Guest

    it will copy over all files that phpBB has in their installation along with running the phpBB upgrade script.
     
Loading...

Share This Page