phpBB 2.0.19 released
phpBB 2.0.19 has been released.
It looks like it's upgrade time for those of us running a phpBB forum. XSS and dictionary attacks against forum users seem to be on the menu.
Report of an upgrade I performed:
# download
$ wget ...
# unpack
# unpack the files you fetched away from the live forum.
#copy (backup) and make sure the copy does not get used
$ cp -r forum forum.cp
$ chmod 0 forum.cp
#Change the files
admin/admin_board.php
admin/admin_disallow.php
# if you have other languages installed they will need the same modifications
login.php
# copy the install and contrib directories (forum goes offline)
$ cp -r .../{contrib,install} forum
# surf to install/update_to_latest.php
$ lynx http://.../forum/install/update_to_latest.php
# remove contrib and install
$ rm -rf forum/contrib forum/install
# test
My conclusion from the changes in the source code are:
Swa Frantzen
It looks like it's upgrade time for those of us running a phpBB forum. XSS and dictionary attacks against forum users seem to be on the menu.
Report of an upgrade I performed:
# download
# download the code from one of the mirrors you find
# through http://www.phpbb.com/downloads.php
# Since I try not to browse on the server it's a bit a pain to get to the URLs
# of the mirrors, still it's quite possible.
# through http://www.phpbb.com/downloads.php
# Since I try not to browse on the server it's a bit a pain to get to the URLs
# of the mirrors, still it's quite possible.
$ wget ...
# I usually get the patch file as it details the changes between the two releases
# and the changed files only as I'd rather get clean copies than have patch
# bail out due to some reason. I do have a modified board so sometimes I
# need to code myself to get these upgrades back in place.
# and the changed files only as I'd rather get clean copies than have patch
# bail out due to some reason. I do have a modified board so sometimes I
# need to code myself to get these upgrades back in place.
# unpack
# unpack the files you fetched away from the live forum.
#copy (backup) and make sure the copy does not get used
$ cp -r forum forum.cp
$ chmod 0 forum.cp
#Change the files
admin/admin_board.php
# add new parameters to prevent brute forcing passwords of users
# remove quotes around a string that is assigned (not clear to me as to the rationale)
# perhaps others with deeper knowledge of PHP can explain the difference between:
# remove quotes around a string that is assigned (not clear to me as to the rationale)
# perhaps others with deeper knowledge of PHP can explain the difference between:
- $b = basename (...) ; $a = "$b" ;
- $b = basename (...) ; $a = $b ;
# add sessions_keys to the list of the tables to be backed up
admin/admin_disallow.php
# removes the addition of a session key
admin/admin_ranks.php# removal of the quotes, similar to admin/admin_board.php
admin/admin_styles.php# dito
admin/admin_users.php# added aditional processing when deleting users
# phpbb_clean_username() call added
# added ".." in path to the avatar location
admin/admin_words.php# phpbb_clean_username() call added
# added ".." in path to the avatar location
# again the removal of the quotes, similar to admin/admin_board.php
admin/index.php# allow version 5 of mysql
# add "./" in front of the filenames while building the menu
common.php# add "./" in front of the filenames while building the menu
# change of the error message when in install and contrib directory are still
# present on a production system
include/bbcode.php# present on a production system
# most likely the XSS fixes:
# tests for url= inside [url] tags
# replaced the char " with ""e;" for the [quote] tag
include/functions.php# tests for url= inside [url] tags
# replaced the char " with ""e;" for the [quote] tag
# sql escaping of usernames
include/functions_post.php# most likely the other XSS fix:
# add " as a special char in addtion to those already being processed such as "&", "<" and ">"
include/usercp_confirm.php# add " as a special char in addtion to those already being processed such as "&", "<" and ">"
# looks like the fix for those not having zlib
include/usercp_register.php# change in stripping and length of usernames
language/lang_english/lang_admin.php# added strings for the new variables to prevent brute forcing user passwords
language/lang_english/lang_main.php# dito
# if you have other languages installed they will need the same modifications
login.php
# the prevention of the brute force attacks
privmsg.php# similar change to the one in include/functions_post.php
# interestingly there might be an issue in private messages with XSS on forums.
templates/subSilver/admin/board_config_body.tpl# interestingly there might be an issue in private messages with XSS on forums.
# support for the added variables for preventing the bruteforcing of the user passwords
templates/subSilver/admin/index_body.tpl# the move of the version info towards the top of the page
# if you have other templates (probably based on subSilver), make similar changes there as well!# copy the install and contrib directories (forum goes offline)
$ cp -r .../{contrib,install} forum
# surf to install/update_to_latest.php
$ lynx http://.../forum/install/update_to_latest.php
# this step updates the database
# remove contrib and install
$ rm -rf forum/contrib forum/install
# test
My conclusion from the changes in the source code are:
- XSS issues in uploaded html (also in private messages between members)
- XSS issues in the [url] and [quote] tags
- fixes with new variables to control brute forcing login attempts
Swa Frantzen
Keywords:
1 comment(s)
×
![modal content]()
Diary Archives
Comments