4WebHelp
 FAQ  •  Search  •  User Groups  •  Forum Admins  •  Smilies List  •  Statistics  •  Rules   •  Login   •  Register
Toggle Navigation Menu

 phpBB 2.0.5 and SQL injection vulnerability
Post New TopicReply to Topic
View Previous Topic Print this topic View Next Topic
Author Message
Daniel
Team Member



Joined: 06 Jan 2002
Posts: 2564

PostPosted: Fri Jun 20, 2003 3:54 pm (14 years, 4 months ago) Reply with QuoteBack to Top

You probably know this already, but, in case you don't (phpBB's site was down these last few days due to a DoS attack), phpBB 2.0.5 has been released. This will be the last version of phpBB 2.0.x until phpBB 2.2's first release candidate is released.

Further details
Download it


Also, an SQL injection vulnerability was discovered in viewtopic.php, which is quite simple to fix. See the fix

________________________________
Image
OfflineView User's ProfileFind all posts by DanielSend Personal Message
Darren
Team Member



Joined: 05 Feb 2002
Posts: 549
Location: London

PostPosted: Fri Jun 20, 2003 6:11 pm (14 years, 4 months ago) Reply with QuoteBack to Top

This fix stops the error handling from not working so elegantly when the post_id is missing or its not an integer, you get a debug message rather than the usual message. see this post which contains an 'unofficial' fix.
OfflineView User's ProfileFind all posts by DarrenSend Personal MessageVisit Poster's Website
Ben
Senior WebHelper
Senior WebHelper


Joined: 08 Jan 2002
Posts: 431
Location: Liverpool - UK

PostPosted: Fri Jun 20, 2003 8:16 pm (14 years, 4 months ago) Reply with QuoteBack to Top

Quote:
This will be the last version of phpBB 2.0.x until phpBB 2.2's first release candidate is released.


What happens if theres a massive security hole discovered tomorrow? Laughing

________________________________
Ben Scott

Red and White Kop
OfflineView User's ProfileFind all posts by BenSend Personal MessageSend emailVisit Poster's Website
jayant
Team Member



Joined: 07 Jan 2002
Posts: 262
Location: New Delhi, India

PostPosted: Sat Jun 21, 2003 6:37 am (14 years, 4 months ago) Reply with QuoteBack to Top

Quote:

What happens if theres a massive security hole discovered tomorrow?
Laughing

________________________________
Jayant Kumar
Member of the 4WebHelp Team
Nibble Guru - Computing Queries Demystified
GZip/ Page Compression Test
OfflineView User's ProfileFind all posts by jayantSend Personal MessageVisit Poster's WebsiteYahoo MessengerMSN Messenger
Daniel
Team Member



Joined: 06 Jan 2002
Posts: 2564

PostPosted: Sat Jun 21, 2003 6:42 am (14 years, 4 months ago) Reply with QuoteBack to Top

They will most likely issue a patch, since most security issues don't require more than a few code changes (much like the one I just pointed out).

________________________________
Image
OfflineView User's ProfileFind all posts by DanielSend Personal Message
Darren
Team Member



Joined: 05 Feb 2002
Posts: 549
Location: London

PostPosted: Thu Jun 26, 2003 7:48 am (14 years, 3 months ago) Reply with QuoteBack to Top

A potential vulnerability has now been found in: admin/admin_styles.php

Details of the fix here:
http://www.phpbb.com/phpBB/viewtopic.php?t=113826
OfflineView User's ProfileFind all posts by DarrenSend Personal MessageVisit Poster's Website
Daniel
Team Member



Joined: 06 Jan 2002
Posts: 2564

PostPosted: Thu Jun 26, 2003 7:50 am (14 years, 3 months ago) Reply with QuoteBack to Top

Typical mentality: my fame goes before the security of people using the script, so I let the whole world know there's a vulnerability in the script before letting phpBB developers know Evil or Very Mad

________________________________
Image
OfflineView User's ProfileFind all posts by DanielSend Personal Message
Ben
Senior WebHelper
Senior WebHelper


Joined: 08 Jan 2002
Posts: 431
Location: Liverpool - UK

PostPosted: Mon Aug 04, 2003 11:43 pm (14 years, 2 months ago) Reply with QuoteBack to Top

Ben wrote:
Quote:
This will be the last version of phpBB 2.0.x until phpBB 2.2's first release candidate is released.


What happens if theres a massive security hole discovered tomorrow? Laughing


2.0.6 is out Laughing

________________________________
Ben Scott

Red and White Kop
OfflineView User's ProfileFind all posts by BenSend Personal MessageSend emailVisit Poster's Website
Display posts from previous:      
Post New TopicReply to Topic
View Previous Topic Print this topic View Next Topic


 Jump to:   




You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot edit your posts in this forum.
You cannot delete your posts in this forum.
You cannot vote in polls in this forum.


Page generation time: 0.049838 seconds :: 17 queries executed :: All Times are GMT
Powered by phpBB 2.0 © 2001, 2002 phpBB Group :: Based on an FI Theme