unofficial phpbb 2.0.16 patch.

I don't know if this is applicable here, but there has been a critical flaw in phpbb 2.0.16 for the last week that has got a few people , and phpbb are being a bit slow in releasing an update or patch for it.

The exploit is one of the XSS (cross site scripting) family that allows people to steal cookies (login data) from forums through bad filtering of bbcode.

This patch was tested on my own forum and i haven't seen any negative side effects from it. But most importantly, it has patched us against the exploit.

The patch is simple.
Open includes/bbcode.php in notepad.
click edit select replace.
then replace all

with

(after making a backup of the original file)

This will work fine as a temporary fix, but i would suggest using the official patch as soon as its released.
Alternatively , you could disable bbcode until there is an official phpbb patch.

A mod might want to pm me if they want more info.
Or if the post is unsuitable i don't mind if its deleted.

The exploit and patch were both tested by us on my forum and the flaw is very serious, and the patch seems to work fine as a temporary solution..

We appreciate the tip. Do you have any links to validate this? I assume you have reported this at the security tracker? http://www.phpbb.com/security/

yeah one of my moderators reported it to phpbb when we first heard about it..

The only link i have to verify it has a fully working proof of concept code included so i didn't post it here.

As far as i know this dosnt work in FF, so FF users are safe, but thier forums are not.

I'll pm you the link ATNO...

Thank you. I will pass that on to Bigwebmaster.

no problem.