unofficial phpbb 2.0.16 patch.

  • meman
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3432
  • Loc: London Town , Apples and pears and all that crap

Post 3+ Months Ago

I don't know if this is applicable here, but there has been a critical flaw in phpbb 2.0.16 for the last week that has got a few people , and phpbb are being a bit slow in releasing an update or patch for it.

The exploit is one of the XSS (cross site scripting) family that allows people to steal cookies (login data) from forums through bad filtering of bbcode.

This patch was tested on my own forum and i haven't seen any negative side effects from it. But most importantly, it has patched us against the exploit.

The patch is simple.
Open includes/bbcode.php in notepad.
click edit select replace.
then replace all
Code: [ Select ]
[^ \"\n\r\t<]

with
Code: [ Select ]
[^ \"\n\r\t\'\`\[\]<]

(after making a backup of the original file)

This will work fine as a temporary fix, but i would suggest using the official patch as soon as its released.
Alternatively , you could disable bbcode until there is an official phpbb patch.

A mod might want to pm me if they want more info.
Or if the post is unsuitable i don't mind if its deleted.

The exploit and patch were both tested by us on my forum and the flaw is very serious, and the patch seems to work fine as a temporary solution..
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

We appreciate the tip. Do you have any links to validate this? I assume you have reported this at the security tracker? http://www.phpbb.com/security/
  • meman
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3432
  • Loc: London Town , Apples and pears and all that crap

Post 3+ Months Ago

yeah one of my moderators reported it to phpbb when we first heard about it..

The only link i have to verify it has a fully working proof of concept code included so i didn't post it here.

As far as i know this dosnt work in FF, so FF users are safe, but thier forums are not.

I'll pm you the link ATNO...
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Thank you. I will pass that on to Bigwebmaster.
  • meman
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3432
  • Loc: London Town , Apples and pears and all that crap

Post 3+ Months Ago

no problem.

Post Information

  • Total Posts in this topic: 5 posts
  • Users browsing this forum: No registered users and 2 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.