phpBB 2.0.19 released

Published: 2005-12-30
Last Updated: 2005-12-31 11:04:37 UTC
by Swa Frantzen (Version: 2)
1 comment(s)
phpBB 2.0.19 has been released.

It looks like it's upgrade time for those of us running a phpBB forum. XSS and dictionary attacks against forum users seem to be on the menu.

Report of an upgrade I performed:

# download
# download the code from one of the mirrors you find
# through

# Since I try not to browse on the server it's a bit a pain to get to the URLs
# of the mirrors, still it's quite possible.

$ wget ...

# I usually get the patch file as it details the changes between the two releases
# and the changed files only as I'd rather get clean copies than have patch
# bail out due to some reason. I do have a modified board so sometimes I
# need to code myself to get these upgrades back in place.

# unpack
# unpack the files you fetched away from the live forum.

#copy (backup) and make sure the copy does not get used
$ cp -r forum forum.cp
$ chmod 0 forum.cp

#Change the files
# add new parameters to prevent brute forcing passwords of users
# remove quotes around a string that is assigned (not clear to me as to the rationale)
# perhaps others with deeper knowledge of PHP can explain the difference between:
  • $b = basename (...) ; $a = "$b" ;
  • $b = basename (...) ; $a = $b ;
# add sessions_keys to the list of the tables to be backed up

# removes the addition of a session key

# removal of the quotes, similar to admin/admin_board.php

# dito

# added aditional processing when deleting users
# phpbb_clean_username() call added
# added ".." in path to the avatar location

# again the removal of the quotes, similar to admin/admin_board.php

# allow version 5 of mysql
# add "./" in front of the filenames while building the menu

# change of the error message when in install and contrib directory are still
# present on a production system

# most likely the XSS fixes:
#   tests for url= inside [url] tags
#   replaced the char " with "&quote;" for the [quote] tag

# sql escaping of usernames

# most likely the other XSS fix:
#   add " as a special char in addtion to those already being processed such as "&", "<" and ">"

# looks like the fix for those not having zlib

# change in stripping and length of usernames

# added strings for the new variables to prevent brute forcing user passwords

# dito

# if you have other languages installed they will need the same modifications

# the prevention of the brute force attacks

# similar change to the one in include/functions_post.php
# interestingly there might be an issue in private messages with XSS on forums.

# support for the added variables for preventing the bruteforcing of the user passwords

# the move of the version info towards the top of the page

# if you have other templates (probably based on subSilver), make similar changes there as well!

# copy the install and contrib directories (forum goes offline)
$ cp -r .../{contrib,install} forum

# surf to install/update_to_latest.php
$ lynx http://.../forum/install/update_to_latest.php
# this step updates the database

# remove contrib and install
$ rm -rf forum/contrib forum/install

# test

My conclusion from the changes in the source code are:
  • XSS issues in uploaded html (also in private messages between members)
  • XSS issues in the [url] and [quote] tags
  • fixes with new variables to control brute forcing login attempts
Swa Frantzen
1 comment(s)


Diary Archives