Серьезная дыра в phpbb <=2.0.12

Green Mother · 28 Фев 2005

Серьезная дыра в phpbb <=2.0.12

Рекомендуется всем срочно пропатчиться, подробные инструкции тут:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563

Romantik · 28 Фев 2005

phpBB : Critical Error

Could not connect to the database

Green Mother · 28 Фев 2005

Хм, только что работал.
Если вкратце, то откройте includes/sessions.php, замените

PHP:

if( $sessiondata['autologinid'] == $auto_login_key )

на

PHP:

if( $sessiondata['autologinid'] === $auto_login_key )

(82 строка в файле, если не правился)

В файле viewtopic.php:

PHP:

$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

на

PHP:

$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

Alien · 28 Фев 2005

http://secunia.com/advisories/14413/

A vulnerability has been reported in phpBB, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error in the comparison of "sessiondata['autologinid']" and "auto_login_key". This can be exploited to gain administrative privileges on phpBB.

An error in "viewtopic.php" allows disclosure of path information

This vulnerability affects version 2.0.12 and prior.

Solution:
Update to version 2.0.13.

Серьезная дыра в phpbb <=2.0.12

Green Mother

Guest

Romantik

TeaM PHPClub

Green Mother

Guest

Alien

Новичок