GoFuckYourself.com - Adult Webmaster Forum - View Single Post - *** PHPBB board owners : HACKER ALERT ***

SmokeyTheBear · 04-01-2005, 02:59 AM

phpBB Group announces the release of phpBB 2.0.13, the "Beware of the furries" edition. This release addresses two recent security exploits, one of them critical. They were reported a few days after .12 was released and no one is more annoyed than us, having to release a new version in such a short period of time.
Fortunately both fixes are easy and in each case just one line needs to be edited.

The first issue is critical (session handling allowing everyone gaining administrator rights) and we urge you to fix it on your forums as soon as possible:

Open includes/sessions.php

Find:
Code:
if( $sessiondata['autologinid'] hahahaha $auto_login_key )

Replace with:
Code:
if( $sessiondata['autologinid'] hahahaha= $auto_login_key )

A second minor issue reported to bugtraq several days ago was the path disclosure bug in viewtopic.php which got fixed by applying the following steps:

Open viewtopic.php

Find:
Code:
$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '\\\\1', '\\0')", '>' . $message . '<'), 1, -1));

Replace with:
Code:
$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '\\\\1', '\\0')", '>' . $message . '<'), 1, -1));

04-01-2005, 02:59 AM
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	phpBB Group announces the release of phpBB 2.0.13, the "Beware of the furries" edition. This release addresses two recent security exploits, one of them critical. They were reported a few days after .12 was released and no one is more annoyed than us, having to release a new version in such a short period of time. Fortunately both fixes are easy and in each case just one line needs to be edited. The first issue is critical (session handling allowing everyone gaining administrator rights) and we urge you to fix it on your forums as soon as possible: Open includes/sessions.php Find: Code: if( $sessiondata['autologinid'] hahahaha $auto_login_key ) Replace with: Code: if( $sessiondata['autologinid'] hahahaha= $auto_login_key ) A second minor issue reported to bugtraq several days ago was the path disclosure bug in viewtopic.php which got fixed by applying the following steps: Open viewtopic.php Find: Code: $message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+\|(?R))))\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1)); Replace with: Code: $message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+\|(?R))))\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1)); __________________ hatisblack at yahoo.com