<<< Date Index >>>     <<< Thread Index >>>

Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)



In-Reply-To: <20041118044742.16170.qmail@xxxxxxxxxxxxxxxxxxxxx>

A fix for this was submitted to phpbb.com yesterday afternoon, and was posted 
to the site around 7pm PST
http://www.phpbb.com/phpBB/viewtopic.php?p=1319332#1319332

The download for the new vesion can be found here:
http://www.phpbb.com/phpBB/viewtopic.php?t=94055

This problem only affects Cash Mod / phpBB installations on servers running PHP 
with register_globals set to ON. By default, php installations of 4.2 or 
greater have this set to OFF because of the (now obvious) security 
implications. People should make sure that their register_globals directive is 
OFF, because there are many other open softwares that suffer similar security 
threats.

The supposed "fix" that the submitter of this bug has provided is amusing, as 
it was obviously never tested: Swapping code around will have "unforseen" 
implications, like making the phpBB adminCP inaccessible. Congratulations on 
succeeding to create such an effective solution to the problem.

I would like to extend my lack of thanks to the person who posted this here for 
failing to contact the author (myself) regarding this security flaw before 
posting it (It is my suspicion that the submitter is not the original 
discoverer of the bug), and would like to extend my real thanks to the person 
who was kind enough to forward this to the phpBB staff who contacted me about 
it.

The problem was fixed within hours of my finding out about it, and was posted 
to phpBB.com within half a day, half a day before this post (as seen below) was 
submitted here.