homepage Welcome to WebmasterWorld Guest from 54.196.62.23
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
Forum Library, Charter, Moderators: rogerd

Community Building and User Generated Content Forum

    
phpBB 2.0.12 - security update
Get it as quick as you can
encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 353 posted 1:48 am on Feb 22, 2005 (gmt 0)

Another day, another phpBB security update. Here's the link to the advisory:

[phpbb.com...]

...one of the potential exploits addressed in this release could be serious in certain situations and thus we urge all users, as always, to upgrade to this release as soon as possible.

Download link here:

[phpbb.com...]

Note: it seems that the download isn't yet available from the mirrors, but it should be there soon.

After the rash of attacks and worms last time [webmasterworld.com], it is to update installations as soon as possible. Even if the potential exploit has not been made public, it won't take long for someone to reverse engineer the patch and work out where the bug is. I would put money on there being a new worm starting to attack boards within the week if the bug is harmful enough.

There goes another evening... Good luck! :)

 

buksida

10+ Year Member



 
Msg#: 353 posted 6:47 am on Feb 22, 2005 (gmt 0)

Not again! Yep another evening down the tube.

The mirrors are all down still. Does make you wonder if a "smart" hacker is DoS attacking them while they work out where the hack is!

Hohum .... alternatives to phpBB anyone?

jasonlambert

10+ Year Member



 
Msg#: 353 posted 1:38 pm on Feb 22, 2005 (gmt 0)

Hohum .... alternatives to phpBB anyone?

vbulletin, but they've had a few security update's recently.. personally upgrading phpbb is a LOT easier than vbulletin..

Lord Majestic

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 353 posted 1:53 pm on Feb 22, 2005 (gmt 0)

Note: it seems that the download isn't yet available from the mirrors, but it should be there soon.

Lots of SourceForge mirrors do not have it -- I found one that does: Ishikawa, Japan

rogerd

WebmasterWorld Administrator rogerd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 353 posted 1:54 pm on Feb 22, 2005 (gmt 0)

The vBB security upgrades could also be handled by patches if you didn't want to go through the whole process.

This spate of security updates for major forum packages shows that it's a good thing to disguise your forum as much as possible. "Powered by", version info, etc., all make a forum an easier target. I'd never rely purely on "security by obscurity", but every little barrier helps.

Lord Majestic

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 353 posted 1:59 pm on Feb 22, 2005 (gmt 0)

"Powered by", version info, etc., all make a forum an easier target.

But would it really help for attackers who use automated programs to try to obtain unauthorised access to forum? They will just go for known filename, like: www.example.com/forum/memberlist.php, and it would not even matter if file is there in the first place -- they can just scan all sites.

bcolflesh

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 353 posted 1:59 pm on Feb 22, 2005 (gmt 0)

Thanks for the alert - Ishikawa, Japan mirror has the changed files.

<edit>
Beat me to it.
</edit>

jasonlambert

10+ Year Member



 
Msg#: 353 posted 7:02 pm on Feb 22, 2005 (gmt 0)

They will just go for known filename, like: www.example.com/forum/memberlist.php, and it would not even matter if file is there in the first place -- they can just scan all sites.

- disallow all your .php files in robots.txt
- use mod_rewrite to make viewtopic and viewforum and /index.php appear as .html files.
- delete memberlist.php, viewonline.php, faq.php

encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 353 posted 2:23 pm on Feb 23, 2005 (gmt 0)

The details of the vulnerability have been published in this iDefense Advisory [idefense.com]. The problem exists with the avatar upload function, which can be abused to access arbitrary files on the server.

Exploitation of this vulnerability allows remote attackers to view arbitrary system files under the privileges of the underlying web server. An attacker must have, or be able to create an account on the target system. Non-default settings must also be enabled for exploitation to be possible.

Also:

"Enable remote avatars" and "Enable avatar uploading" must be enabled for the target to be vulnerable.

It sounds as if most installations would be unaffected by this vulnerability. That doesn't mean that you don't need to update, but there is a lesser need for urgency than for the 2.0.11 release. A simple workaround is to simply disable remote avatars and avatar uploading.

I updated with the patch file last night with no particular problems: a few hunk failures where I'd previously made big changes, but it was easy enough to add the missing patches manually with the help of the .rej files. Things should go smoothly in most cases.

vkaryl

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 353 posted 12:57 am on Feb 24, 2005 (gmt 0)

Thanks for the heads up encyclo. Will be fixing mine up tonight.

Stujoe

10+ Year Member



 
Msg#: 353 posted 3:31 pm on Feb 24, 2005 (gmt 0)

For those with modded forums, they are providing a changes update int he form of a mod.

Took me very little time to upgrade:

[phpbb.com...]

Jaeren

10+ Year Member



 
Msg#: 353 posted 8:26 pm on Feb 26, 2005 (gmt 0)

I gave up on phpbb a little while ago and switched to SMF ( [simplemachines.org...] ) and it works great, easy to convert over basic forums, if yours is heavily modified it might be a bit more work but still possible.

One thing that I like is having them send out notices about releases through their support forum. And it also tells you in the admin console with an easy link to update ;)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved