Back To Programming / Scripting / Coding Forum

phpBB Users, please read Security Notice

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Joined: May 28, 2003
  • Posts: 23404
  • Loc: Woodbridge VA
  • Status: Offline

Post November 30th, 2004, 8:07 am

From phpBB Nov 18th:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

Take the time to patch your boards.
  • Anonymous
  • Bot
  • No Avatar
  • Joined: 25 Feb 2008
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post November 30th, 2004, 8:07 am

  • Maedhros
  • Proficient
  • Proficient
  • User avatar
  • Joined: Oct 31, 2004
  • Posts: 325
  • Loc: Durham, England
  • Status: Offline

Post November 30th, 2004, 11:32 am

Hmm.... So all that's changed is to remove the urldecode() function. I wonder what sort of exploits are possible with it? Anyway, thanks for the warning, ATNO!
Gentoo Linux: "All of a sudden, Larry the Cow was in control. And he liked it."
  • joebert
  • Sledgehammer
  • Genius
  • No Avatar
  • Joined: Feb 10, 2004
  • Posts: 13455
  • Loc: Florida
  • Status: Offline

Post November 30th, 2004, 4:25 pm

phpBB 2.0.11 seems to allready be patched, The change proposed was allready done when I looked for it.
Strong with this one, the sudo is.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Joined: May 28, 2003
  • Posts: 23404
  • Loc: Woodbridge VA
  • Status: Offline

Post November 30th, 2004, 4:46 pm

I believe .11 did contain the patch. My best rough recollection was .11 was released right around that time. It apparently should contain a few other fixes as well.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Joined: May 28, 2003
  • Posts: 23404
  • Loc: Woodbridge VA
  • Status: Offline

Post November 30th, 2004, 4:49 pm

Maedhros wrote:
Hmm.... So all that's changed is to remove the urldecode() function. I wonder what sort of exploits are possible with it? Anyway, thanks for the warning, ATNO!


I don't know what all can be done with it, but Bigweb discovered at the least people can get root access, which explains primarily why phpBB group jumped on this.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
  • Maedhros
  • Proficient
  • Proficient
  • User avatar
  • Joined: Oct 31, 2004
  • Posts: 325
  • Loc: Durham, England
  • Status: Offline

Post December 1st, 2004, 5:46 am

Woah, I've been doing some research on this, and it's potentially incredibly serious. Any command can be run on the server with the permissions of the apache user. Think "cat /etc/password", for instance, or "rm -rf ../*". I wouldn't be even remotely surprised if you could do anything you wanted with the database either - after all, you can run "cat ./config.php", and then all your phpBB config information can be displayed. If that doesn't persuade you to use the patch, then nothing will. It certainly persuaded me! :shock:
Gentoo Linux: "All of a sudden, Larry the Cow was in control. And he liked it."

Page 1 of 1

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 223 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 2011 Unmelted, LLC. Ozzu® is a registered trademark of Unmelted, LLC.