phpBB 2.0.16 released

Forum Moderators: rogerd

Message Too Old, No Replies

phpBB 2.0.16 released

Another vital security update

encyclo

9:08 pm on Jun 29, 2005 (gmt 0)

A quick heads-up for all the phpBBers out there who are not signed up to the security mailing list: here we go again! This is a pretty small patch, actually, but it contains one critical security update. Details and download available here:

[phpbb.com...]

The critical part is a one-line fix in viewtopic.php - do it now, even before you reply! ;)

BlackRaven

12:26 am on Jun 30, 2005 (gmt 0)

thanks encyclo

jatar_k

8:56 pm on Jul 5, 2005 (gmt 0)

I still don't understand why, as highlight gets exploited over and over again why they even have it there

I have added a similar line as that patch in the last couple versions due to the vulnerabilities. I just nuke it all together.

bcolflesh

9:00 pm on Jul 5, 2005 (gmt 0)

And a cross-site scripting hack is already circulating through the security lists for 2.0.16 - turn off BBCode to mitigate the problem for now.

jatar_k

9:05 pm on Jul 5, 2005 (gmt 0)

looking at that patch again it must make it crawl, a pair of str_replace with a pair of preg_replace and a substr

what a royal mess

jatar_k

10:23 pm on Jul 5, 2005 (gmt 0)

actually it seems I was looking at the whole line

as coopster reminded me, all they did was put addslashes on the highlight.

sad

encyclo

2:40 pm on Jul 6, 2005 (gmt 0)

I know what you mean, jatar - to those who are fairly clueless in PHP (like me) that line looks like torture. There must have been a dozen phpBB patches at least which fix problems with highlighting in the past too - very frustrating.

But what to do? Is it easy to just rip out the highlighting functionality? Is the code like that due to the number of bug fixes or because the whole feature was badly coded from the start?