Re: Phpbb 2.0.7a And Earlier Secuity Issues
In-Reply-To: <20040322031300.15846.qmail@xxxxxxxxxxxxxxxxxxxxxxxx>
Hi,
Unfortunately the phpBB team underestimated/misunderstood the damage these
issues could cause to a phpBB installation, so there is no official fix as of
yet. however I hear they are working on an officialy released fix as we speak :)
Until then I am sharing the fixes I have implemented on the GulfTech forums.
They have been tested for a few days now and seem to work fine. The issues
addressed are the ACP SQL Injection, The Post Deletion Problems, and The Forced
Logout problem. The issues not addressed are the admin command execution, and
the ACP session auth problems.
My advice to anyone regarding those unfixed issues is to just ONLY use your
admin phpBB account to make admin changes, and then log out. Don't view posts,
pm's or the like with your admin account until an official fix is released or
until you make a fix yourself ;)
Here are the links to the fixes and the original advisory.
http://www.gulftech.org/vuln/phpBBadminFix.rar
http://www.gulftech.org/vuln/phpBBpostDeletion.rar
http://www.gulftech.org/vuln/phpBBlogoutFix.rar
http://www.gulftech.org/03202004.php
Best Regards,
JeiAr
>From: JeiAr <security@xxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Phpbb 2.0.7a And Earlier Secuity Issues
>
>
>
>Vendor : phpBB Group
>URL : http://www.phpbb.com
>Version : phpBB 2.0.7a && Earlier
>Risk : Multiple Vulnerabilities
>
>
>
>Description:
>phpBB is a high powered, fully scalable, and highly customisable