:: Forums ⇒

Critical phpBB Security Fixes for users of 8.2c

#1: Critical phpBB Security Fixes for users of 8.2c Author: Trevor, Location: New York

Posted: Sun Feb 27, 2005 11:30 pm
----
Hi all,

The phpBB Group has just released phpBB 2.0.13, which addresses two vulnerabilities reported after the very recent release of 2.0.12. One issue is very serious, as it allows anyone to gain administrative rights for your forums. The other is a full path disclosure. Again, these patches apply only to users of CPG-Nuke 8.2c.

Open includes/phpBB/sessions.php.

Find on line 86:

PHP:

if( $sessiondata['autologinid'] == $auto_login_key )

Replace with:

PHP:

if( $sessiondata['autologinid'] === $auto_login_key )

Open modules/Forums/viewtopic.php.

Find on line 1225:

PHP:

$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

Replace with:

PHP:

$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

You can also download the patched files.

Thanks.

Last edited by Trevor on Mon Mar 28, 2005 2:15 am; edited 1 time in total

#2: Re: Critical phpBB Security Fixes for users of 8.2c Author: Yoshi,

Posted: Wed Mar 02, 2005 3:31 am
----
Does this go for the same for 8.2b users?

#3: Re: Critical phpBB Security Fixes for users of 8.2c Author: Jeruvy, Location: Canada

Posted: Thu Mar 03, 2005 1:47 am
----
You should apply 8.2c immediately. These updates are defined as critical ONLY for CPGnuke 8.2b.

They are not widespread changes only fixes and security updates so any mod's or themes you are using will not be affected by these patches.

HTH,

#4: Re: Critical phpBB Security Fixes for users of 8.2c Author: Jeruvy, Location: Canada

Posted: Fri Mar 04, 2005 2:42 pm
----
Also note: this patch has been exploited also.

These are fixes suggested, but I have not tested.

In usercp_register.php

PHP:

I will let the devs sort this one out. But it does look like a real fix over the last *cough* patch *cough* which really didn't do anything IMHO.

#5: Re: Critical phpBB Security Fixes for users of 8.2c Author: bist,

Posted: Wed Mar 09, 2005 2:19 am
----
so if I have 8.2b i should unpack 8.2c and copy it over my installation?

just wanna be sure

#6: Re: Critical phpBB Security Fixes for users of 8.2c Author: NanoCaiordo, Location: Melbourne, AU

Posted: Wed Mar 09, 2005 7:39 am
----
Personally I cannot find uesrcp_register.php ...inside which directory I will find it.

#7: Re: Critical phpBB Security Fixes for users of 8.2c Author: djdevon3,

Posted: Thu Mar 10, 2005 12:38 am
----
usercp_register.php

umm where is that file located?

#8: Re: Critical phpBB Security Fixes for users of 8.2c Author: xfsunoles, Location: Melbourne, Florida

Posted: Thu Mar 10, 2005 4:23 am
----
i believe it located in includes/phpBB folder.

#9: Re: Critical phpBB Security Fixes for users of 8.2c Author: NanoCaiordo, Location: Melbourne, AU

Posted: Thu Mar 10, 2005 4:33 am
----
its does not exist becouse user registration it is not longer done by the forum module but by my account module, something like coppermine registration that is not longer done by coppermine but, again, by my account. so we do not need this patch!

#10: Re: Critical phpBB Security Fixes for users of 8.2c Author: djdevon3,

Posted: Fri Mar 11, 2005 12:10 am
----
That's what I thought. The file does not exist for cpg. Stand-alone only I believe. That doesn't mean that 8.x users shouldn't patch using the code that is applicable. Only the patch dealing with the usercp_register.php doesn't apply to us.

#11: Re: Critical phpBB Security Fixes for users of 8.2c Author: DaveTomneyUK, Location: UK, England

Posted: Mon Mar 21, 2005 3:29 pm
----
Does the top fix that Trevor posted need adding to CPG-Dragonfly 9.0.2.0 Mainly the viewtopic.php file?

#12: Re: Critical phpBB Security Fixes for users of 8.2c Author: Trevor, Location: New York

Posted: Tue Mar 22, 2005 1:29 am
----
No

-> Security

All times are GMT

Page 1 of 1