phpBB Users, please read Security Notice

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

From phpBB Nov 18th:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

Take the time to patch your boards.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Maedhros
  • Proficient
  • Proficient
  • User avatar
  • Posts: 325
  • Loc: Durham, England

Post 3+ Months Ago

Hmm.... So all that's changed is to remove the urldecode() function. I wonder what sort of exploits are possible with it? Anyway, thanks for the warning, ATNO!
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

phpBB 2.0.11 seems to allready be patched, The change proposed was allready done when I looked for it.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I believe .11 did contain the patch. My best rough recollection was .11 was released right around that time. It apparently should contain a few other fixes as well.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Maedhros wrote:
Hmm.... So all that's changed is to remove the urldecode() function. I wonder what sort of exploits are possible with it? Anyway, thanks for the warning, ATNO!


I don't know what all can be done with it, but Bigweb discovered at the least people can get root access, which explains primarily why phpBB group jumped on this.
  • Maedhros
  • Proficient
  • Proficient
  • User avatar
  • Posts: 325
  • Loc: Durham, England

Post 3+ Months Ago

Woah, I've been doing some research on this, and it's potentially incredibly serious. Any command can be run on the server with the permissions of the apache user. Think "cat /etc/password", for instance, or "rm -rf ../*". I wouldn't be even remotely surprised if you could do anything you wanted with the database either - after all, you can run "cat ./config.php", and then all your phpBB config information can be displayed. If that doesn't persuade you to use the patch, then nothing will. It certainly persuaded me! :shock:

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 91 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.