[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041119020123.25035.qmail@www.securityfocus.com>
Date: 19 Nov 2004 02:01:23 -0000
From: Robert Hetzler <mods@...e.ca>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)
In-Reply-To: <20041118044742.16170.qmail@....securityfocus.com>
A fix for this was submitted to phpbb.com yesterday afternoon, and was posted to the site around 7pm PST
http://www.phpbb.com/phpBB/viewtopic.php?p=1319332#1319332
The download for the new vesion can be found here:
http://www.phpbb.com/phpBB/viewtopic.php?t=94055
This problem only affects Cash Mod / phpBB installations on servers running PHP with register_globals set to ON. By default, php installations of 4.2 or greater have this set to OFF because of the (now obvious) security implications. People should make sure that their register_globals directive is OFF, because there are many other open softwares that suffer similar security threats.
The supposed "fix" that the submitter of this bug has provided is amusing, as it was obviously never tested: Swapping code around will have "unforseen" implications, like making the phpBB adminCP inaccessible. Congratulations on succeeding to create such an effective solution to the problem.
I would like to extend my lack of thanks to the person who posted this here for failing to contact the author (myself) regarding this security flaw before posting it (It is my suspicion that the submitter is not the original discoverer of the bug), and would like to extend my real thanks to the person who was kind enough to forward this to the phpBB staff who contacted me about it.
The problem was fixed within hours of my finding out about it, and was posted to phpBB.com within half a day, half a day before this post (as seen below) was submitted here.
Powered by blists - more mailing lists