CRITICAL: phpBB Search Exploit, Follow-up :: Archived

tank

williamj wrote:

Is the current download of 8.2b fixed? or do these files still need to be patched?

Thank you,

8.2b was reaeased months ago so I would say that the files need to be patched.

djdevon3 · Gold Supporter Offline Joined: Aug 05, 2004 Posts: 4363

we can release a patched version on cpgnukefiles. everything the same but with the patch. can't imagine they wouldn't patch 8.2b and reupload.

Jeruvy

There was a patch released for cpgnuke 8.2b in the downloads, but I'll be damned if I can find it...anyone want to clarify what zip tg.gz file is the 8.2b patch?

williamj · Newbie Offline Joined: Jan 03, 2005 Posts: 14

I to need the patch please. Can somebody point us to it or do we need to do the manual upgrades? This is the kind of stuff that makes me wonder if GPGNuke is the right package for us. Known exploits but not included in the current installation package??? Sad

Thank you,

Jeruvy · Last edited by Jeruvy on Mon Jan 03, 2005 5:43 pm; edited 1 time in total

8.2b was released in July 2004, and is NOT current.

CVS is current and is patched.

Just to clarify williamj's points.

BTW attachment mod will ALWAYS have problems and expect to see more exploits in the near future using this code. If you enable attachments and uploads to your site you should be ten times more diligent than another web admin who disables such functions.

Trust me we haven't seen the end of exploits on attachments_mod.

I doubt it will ever be 100% secure.

However I'm very confident that myself and others here will keep on top of these concerns and issues and address them. But not always is there going to be a patch for old versions.

Wish you well,

williamj · Newbie Offline Joined: Jan 03, 2005 Posts: 14

I thought the CVS code was only Version 9 and not recommended for production sites??? Is there an explanation of CVS and how it is supposed to be used anywhere. I run 2 other phpBB's and I know that you are 100% right about the attachment mod. It is a HUGE security risk.

Thank you VERY much for your help!! I may even consider running the V9 code, but I need to learn a lot more about CVS and how to stay up to date, etc before I do. If you can explain this and would rather do it by phone or something like that to make it easy I would be happy to call or you can call me or however. We are trying to roll out a GPGNuke site as an alternative to a straight phpBB2 site, but we need to keep from compromising all the rest of the sites on the box.

Thank you in advance!!

Please PM if we can phone.

Will

Jeruvy

Yes you are right. CVS code is version 9 and not recommended for production sites. Doesn't mean you CANNOT, I do. But....

There are bugs still that are being worked on, and no support will be provided until they are stabilized.

As for the remainder of your remarks I'm a bit confused, how would it affect other sites?

If you wish to bug me on icq or yahoo, or irc I can be found online, not necesarily at the keyboad (I have too bloody many Wink

feel free. )

djdevon3 · Gold Supporter Offline Joined: Aug 05, 2004 Posts: 4363

looks like 8.2c was released. good job guys. thank you, your securityness. Smile