Big bug in phpBB

[CrazyMouse]

please read this URL

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

open viewtopic.php in any text editor. Find the following section

// 
// Was a highlight request part of the URI? 
// 
$highlight_match = $highlight = ''; 
if (isset($HTTP_GET_VARS['highlight'])) 
{ 
   // Split words and phrases 
   $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight'])))); 

   for($i = 0; $i < sizeof($words); $i++) 
   {

and replace with:

// 
// Was a highlight request part of the URI? 
// 
$highlight_match = $highlight = ''; 
if (isset($HTTP_GET_VARS['highlight'])) 
{ 
   // Split words and phrases 
   $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight']))); 

   for($i = 0; $i < sizeof($words); $i++) 
   {

Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.

 

[vandal]

this is really huge, you can run system commands. make sure your users update this asap, or i would check myself just to be sure.

 

[matrixx]

Hmm - is there an easy way of checking who is running phpbb?

Rob

 

[matrixx]

Looks like they have released a patched update..

http://www.phpbb.com/phpBB/viewtopic.php?t=240636

Rob

 

[nobaloney]

Hmm - is there an easy way of checking who is running phpbb?

# locate -i phpbb

Jeff

 

[vandal]

somepeople rename their forums

i would include a few other words
# locate -i forum
# locate -i forums
# locate -i phpBB2
# locate -i boards
# locate -i messageboard

something like that

 

[vandal]

actually, just search for a file you know phpbb uses, also the one that needs patching.

# locate -i viewtopic.php

 

[l0rdphi1]

perl -pi -e 's/(.words = explode.. ., trim.htmlspecialchars.)urldecode.(.HTTP_GET_VARS..highlight.....)./$1$2/' viewtopic.php

Haven't tested, but that should patch viewtopic.php for you

Phi1.

 

[nobaloney]

somepeople rename their forums

i would include a few other words
# locate -i forum
# locate -i forums
# locate -i phpBB2
# locate -i boards
# locate -i messageboard

something like that

I doubt people rename the images built into phpbb, which is what my command finds.

I suppose they could, however.

Note that locate -i phpBB2 is redundant; phpBB2 would be found by locate -i phpbb.

Jeff