Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)
In-Reply-To: <20041118044742.16170.qmail@xxxxxxxxxxxxxxxxxxxxx>
A fix for this was submitted to phpbb.com yesterday afternoon, and was posted
to the site around 7pm PST
http://www.phpbb.com/phpBB/viewtopic.php?p=1319332#1319332
The download for the new vesion can be found here:
http://www.phpbb.com/phpBB/viewtopic.php?t=94055
This problem only affects Cash Mod / phpBB installations on servers running PHP
with register_globals set to ON. By default, php installations of 4.2 or
greater have this set to OFF because of the (now obvious) security
implications. People should make sure that their register_globals directive is
OFF, because there are many other open softwares that suffer similar security
threats.
The supposed "fix" that the submitter of this bug has provided is amusing, as
it was obviously never tested: Swapping code around will have "unforseen"
implications, like making the phpBB adminCP inaccessible. Congratulations on
succeeding to create such an effective solution to the problem.
I would like to extend my lack of thanks to the person who posted this here for
failing to contact the author (myself) regarding this security flaw before
posting it (It is my suspicion that the submitter is not the original
discoverer of the bug), and would like to extend my real thanks to the person
who was kind enough to forward this to the phpBB staff who contacted me about
it.
The problem was fixed within hours of my finding out about it, and was posted
to phpBB.com within half a day, half a day before this post (as seen below) was
submitted here.