Welcome to WebmasterWorld Guest from 174.129.127.214

Forum Moderators: rogerd

Message Too Old, No Replies

phpBB 2.0.13 Upgrade

New security related phpBB update

   
4:06 am on Mar 3, 2005 (gmt 0)

10+ Year Member



just a heads-up to check www.phpbb.com for the latest update (version 2.0.13) There is a fix in it for a fairly serious admin access exploit.

Here's a quick summary of the security issue changes from 2.0.12 to 2.0.13:

OPEN sessions.php

FIND
* $Id: sessions.php,v 1.58.2.11 2004/07/11 16:46:19 acydburn Exp $

REPLACE WITH
* $Id: sessions.php,v 1.58.2.12 2005/02/27 20:33:01 acydburn Exp $

FIND
if( $sessiondata['autologinid'] == $auto_login_key )

REPLACE WITH
if( $sessiondata['autologinid'] === $auto_login_key )

OPEN viewtopic.php

FIND
* $Id: viewtopic.php,v 1.186.2.38 2005/02/21 18:37:06 acydburn Exp $

REPLACE WITH
* $Id: viewtopic.php,v 1.186.2.39 2005/02/27 20:33:00 acydburn Exp $

FIND
$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

REPLACE WITH
$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+(?R)))*)\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

SAVE AND CLOSE ALL FILES

4:09 am on Mar 3, 2005 (gmt 0)

10+ Year Member



OOPS! I missed the previous post ... sorry for the dupe