lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 19 Nov 2004 02:01:23 -0000
From: Robert Hetzler <mods@...e.ca>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)


In-Reply-To: <20041118044742.16170.qmail@....securityfocus.com>

A fix for this was submitted to phpbb.com yesterday afternoon, and was posted to the site around 7pm PST
http://www.phpbb.com/phpBB/viewtopic.php?p=1319332#1319332

The download for the new vesion can be found here:
http://www.phpbb.com/phpBB/viewtopic.php?t=94055

This problem only affects Cash Mod / phpBB installations on servers running PHP with register_globals set to ON. By default, php installations of 4.2 or greater have this set to OFF because of the (now obvious) security implications. People should make sure that their register_globals directive is OFF, because there are many other open softwares that suffer similar security threats.

The supposed "fix" that the submitter of this bug has provided is amusing, as it was obviously never tested: Swapping code around will have "unforseen" implications, like making the phpBB adminCP inaccessible. Congratulations on succeeding to create such an effective solution to the problem.

I would like to extend my lack of thanks to the person who posted this here for failing to contact the author (myself) regarding this security flaw before posting it (It is my suspicion that the submitter is not the original discoverer of the bug), and would like to extend my real thanks to the person who was kind enough to forward this to the phpBB staff who contacted me about it.

The problem was fixed within hours of my finding out about it, and was posted to phpBB.com within half a day, half a day before this post (as seen below) was submitted here.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ