Welcome to WebmasterWorld Guest from 107.22.14.254

Forum Moderators: rogerd

Message Too Old, No Replies

phpBB 2.0.12 - security update

Get it as quick as you can

     
1:48 am on Feb 22, 2005 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Another day, another phpBB security update. Here's the link to the advisory:

[phpbb.com...]

...one of the potential exploits addressed in this release could be serious in certain situations and thus we urge all users, as always, to upgrade to this release as soon as possible.

Download link here:

[phpbb.com...]

Note: it seems that the download isn't yet available from the mirrors, but it should be there soon.

After the rash of attacks and worms last time [webmasterworld.com], it is to update installations as soon as possible. Even if the potential exploit has not been made public, it won't take long for someone to reverse engineer the patch and work out where the bug is. I would put money on there being a new worm starting to attack boards within the week if the bug is harmful enough.

There goes another evening... Good luck! :)

6:47 am on Feb 22, 2005 (gmt 0)

10+ Year Member



Not again! Yep another evening down the tube.

The mirrors are all down still. Does make you wonder if a "smart" hacker is DoS attacking them while they work out where the hack is!

Hohum .... alternatives to phpBB anyone?

1:38 pm on Feb 22, 2005 (gmt 0)

10+ Year Member



Hohum .... alternatives to phpBB anyone?

vbulletin, but they've had a few security update's recently.. personally upgrading phpbb is a LOT easier than vbulletin..
1:53 pm on Feb 22, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Note: it seems that the download isn't yet available from the mirrors, but it should be there soon.

Lots of SourceForge mirrors do not have it -- I found one that does: Ishikawa, Japan

1:54 pm on Feb 22, 2005 (gmt 0)

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The vBB security upgrades could also be handled by patches if you didn't want to go through the whole process.

This spate of security updates for major forum packages shows that it's a good thing to disguise your forum as much as possible. "Powered by", version info, etc., all make a forum an easier target. I'd never rely purely on "security by obscurity", but every little barrier helps.

1:59 pm on Feb 22, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



"Powered by", version info, etc., all make a forum an easier target.

But would it really help for attackers who use automated programs to try to obtain unauthorised access to forum? They will just go for known filename, like: www.example.com/forum/memberlist.php, and it would not even matter if file is there in the first place -- they can just scan all sites.

1:59 pm on Feb 22, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thanks for the alert - Ishikawa, Japan mirror has the changed files.

<edit>
Beat me to it.
</edit>

7:02 pm on Feb 22, 2005 (gmt 0)

10+ Year Member



They will just go for known filename, like: www.example.com/forum/memberlist.php, and it would not even matter if file is there in the first place -- they can just scan all sites.

- disallow all your .php files in robots.txt
- use mod_rewrite to make viewtopic and viewforum and /index.php appear as .html files.
- delete memberlist.php, viewonline.php, faq.php
2:23 pm on Feb 23, 2005 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The details of the vulnerability have been published in this iDefense Advisory [idefense.com]. The problem exists with the avatar upload function, which can be abused to access arbitrary files on the server.

Exploitation of this vulnerability allows remote attackers to view arbitrary system files under the privileges of the underlying web server. An attacker must have, or be able to create an account on the target system. Non-default settings must also be enabled for exploitation to be possible.

Also:

"Enable remote avatars" and "Enable avatar uploading" must be enabled for the target to be vulnerable.

It sounds as if most installations would be unaffected by this vulnerability. That doesn't mean that you don't need to update, but there is a lesser need for urgency than for the 2.0.11 release. A simple workaround is to simply disable remote avatars and avatar uploading.

I updated with the patch file last night with no particular problems: a few hunk failures where I'd previously made big changes, but it was easy enough to add the missing patches manually with the help of the .rej files. Things should go smoothly in most cases.

12:57 am on Feb 24, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thanks for the heads up encyclo. Will be fixing mine up tonight.
3:31 pm on Feb 24, 2005 (gmt 0)

10+ Year Member



For those with modded forums, they are providing a changes update int he form of a mod.

Took me very little time to upgrade:

[phpbb.com...]

8:26 pm on Feb 26, 2005 (gmt 0)

10+ Year Member



I gave up on phpbb a little while ago and switched to SMF ( [simplemachines.org...] ) and it works great, easy to convert over basic forums, if yours is heavily modified it might be a bit more work but still possible.

One thing that I like is having them send out notices about releases through their support forum. And it also tells you in the admin console with an easy link to update ;)

 

Featured Threads

Hot Threads This Week

Hot Threads This Month