PhpBB 2.0.19 Cross Site Request Forgeries Exploit

Forum Moderators: rogerd

Message Too Old, No Replies

PhpBB 2.0.19 Cross Site Request Forgeries Exploit

BlackRaven

6:17 am on Feb 7, 2006 (gmt 0)

Details: SecurityAlert
Topic : phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
SecurityAlert Id : 31
SecurityRisk : Medium
Remote Exploit : Yes
Local Exploit : Yes
Exploit Given : Yes
Credit : Maksymilian Arciemowicz
Date : 3.2.2006

Solution: Don't display <IMG> tags for user where have you SID in url. And use POST
to any operations like create, remove smilies when Admin.

cws3di

6:30 am on Feb 7, 2006 (gmt 0)

Wow.
Thanks for the heads up. I am a newbie, only been using phpBB for a couple of months now.

I have read quite a few posts on various forums that recommend upgrading as soon as new versions come out (for security reasons).

My current install is 2.0.17, and I have been thinking about biting the bullet and attempting to figure out how to do the upgrade to 2.0.19

In your opinion, is this "exploit" enough to deter or delay me from doing the upgrade for now, or should I wait for the next upgrade?

BlackRaven

2:44 am on Feb 8, 2006 (gmt 0)

cws3di i strongly encourage you to upgrade, there is a previous nastier exploit for 2.0.19. If you have html enabled (which i highly recommend to turn off) or allow guests/members to upload avatars I HIGHLY RECOMMEND to turn them off in 2.0.19.