The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security vulnerability: phpBB

Discussion in 'Security' started by Planet_Master, Dec 14, 2003.

  1. Planet_Master

    Planet_Master Well-Known Member

    Joined:
    Apr 18, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Yorker
    SQL injection in phpBB

    Description:
    The remote host is running a version of phpBB older than 2.0.7. There is a flaw in the remote software which may allow anyone to inject arbitrary SQL commands, which may in turn be used to gain administrative access on the remote host or to obtain the MD5 hash of the password of any user.

    Solution : Upgrade to the latest version of this software
    Risk Factor : Serious

    Had problems on my server with customers using old versions of this software, good thing I caught the problem quickly and had them all update their boards. Suggest you ask your customers to do the same if running versions older then 2.0.7
     
  2. hot_wired13

    hot_wired13 Active Member

    Joined:
    Oct 17, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    127.0.0.1
    yay, something for me to exploit...
    /me goes off and hacks many many many webhosts... *evil laugh*
     
  3. LP-Trel

    LP-Trel Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nirvana
    There is no 2.0.7, 2.0.6 is the latest... :rolleyes:
     
  4. Planet_Master

    Planet_Master Well-Known Member

    Joined:
    Apr 18, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Yorker
    2.0.6 has been updated with the fixes just redownload this version and overwrite your files. Make sure you save the database config file and you will lose any hacks you may have installed.
     
  5. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    The changelog mentions a somewhat auspiciously timed update of phpBB to 2.0.10a. I am curious to know if this update includes this change.

    BTW, 2.0.11 has been released which includes the above linked security fix as well as a few other updates.
     
  6. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    What is the exploit for this?

    Is it possible to block it with mod_security?
     
  7. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    umm, why not just fix the security problem in the first place? Instead of trying to keep people from using the exploit? Seems like a band-aid fix to me.
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Agree, it literally takes 5 minutes to update to the lastest, never ever compromise or "quick fix" when it comes to security.
     
  9. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    How do you upgrade phpbb forums using tons of mods in 5 minutes though?
     
  10. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    You are right, with regards to mods, but that holds true for any upgrade of any software. The 5 minute upgrade is for upgrading phpBB standard files and information, any mods would have to be redone again. You should though at the very least do the viewtopic fix as noted on their forum.
     
  11. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Yup, I did the viewtopic fix yesterday. From what I understand it is the only critical issue. The other issues that are fixed in 2.0.11 seem less serious.

    I'll do the upgrades to 2.0.11 when I have time since it will take a while to reinstall all the mods.
     
  12. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    Do you have to fix it on each account that is using it?

    How do I know who is using it?

    If I have 1,000 people using it would take over 10 days to fix assuming there was nothing else to do during those days.
     
  13. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Do a locate for viewtopic.php, that will tell you how many need to be possibly updated. Then you can either change them one each or replace all of them with a patched one.

    I would not risk my servers and business to avoid extra work, unfortunatly this is part of having and running a business. You sometimes have to do a lot of extra work.
     
  14. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    # locate viewtopic.php | wc -l
    179
    times 50 servers
    about 44750 minutes or 34 business days
     
  15. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider

    So, by those numbers, you mean to tell me you have 8900+ clients and you do not have staff that manage the servers? Or an automated process for mass updates? How do think EV1 and the likes do it? They either mass automate or they do each server with a script. This is actually less effort than running easyapache is. Write a simple shell script that does locate and replaces with a patched one. It would take you only a few minutes to write the script.

    But hey, it's your server and clients that get screwed, so it's all up to you how you do it or don't do it.
     
  16. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    How can I get a script for mass updates?
     
  17. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Either write one or hire someone to write it for you.
     
  18. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    Please post a copy of yours here.
     
  19. manlius.com

    manlius.com Active Member

    Joined:
    Nov 20, 2002
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Upstate New York
    Running this command is misleading:

    locate viewtopic.php | wc -l

    As it will also show installed copies of the following scripts as well:

    Xoops
    php-nuke

    And anyother script with a file named viewtopic.php
     
  20. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    What is an easy way to replace only the phpbb's viewtopic.php file?
     
Loading...

Share This Page