You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 64 guest(s) and 2 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Two vulnerabilities in 2.0.x phpBB [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

Two vulnerabilities in 2.0.x phpBB
 
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
Author Message
sambeckett
Corporal
Corporal


Joined: Jun 25, 2003
Posts: 63
PostPosted: Fri Jun 27, 2003 8:22 am Reply with quoteBack to top
http://www.phpbb.com/news.php?id=17

Does this effect php-nuke?

Are the fixes in the next release?
Find all posts by sambeckettView user's profileSend private message
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico
PostPosted: Fri Jun 27, 2003 8:34 am Reply with quoteBack to top
These and other forum related issues will be covered in sec-fix patch 4, hopefully this will also be added to PHP-Nuke's core.

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
sambeckett
Corporal
Corporal


Joined: Jun 25, 2003
Posts: 63
PostPosted: Fri Jun 27, 2003 8:38 am Reply with quoteBack to top
where do you get sec-fix patch 4 ?
Find all posts by sambeckettView user's profileSend private message
mikem
Theme Guru
Theme Guru


Joined: Jan 13, 2003
Posts: 1582

Location: Corn fields of Indiana
PostPosted: Fri Jun 27, 2003 8:47 am Reply with quoteBack to top
sambeckett wrote:
where do you get sec-fix patch 4 ?


Quote:
will be covered in sec-fix patch 4


which means it is not released yet. Wink

_________________
Getting Started | My Projects
Find all posts by mikemView user's profileSend private message
sambeckett
Corporal
Corporal


Joined: Jun 25, 2003
Posts: 63
PostPosted: Fri Jun 27, 2003 8:50 am Reply with quoteBack to top
Ahh.. for now it will stay insecure. just like phpnuke 6.5 is in general.

When is 6.7 being released to the public? My system has be insecure for log enough and the web site doesnt have a release date.
Find all posts by sambeckettView user's profileSend private message
mikem
Theme Guru
Theme Guru


Joined: Jan 13, 2003
Posts: 1582

Location: Corn fields of Indiana
PostPosted: Fri Jun 27, 2003 9:10 am Reply with quoteBack to top
6.7 will not be released to the public according the developer of Nuke. The next scheduled PUBLIC release will be version 7.0.

I wouldn't worry too much about that little vulnerability. If you are currently running Nuke6.5 with secfix3 for it, then you are basically running Nuke6.7.

mikem

_________________
Getting Started | My Projects
Find all posts by mikemView user's profileSend private message
foxyfemfem
Support Staff
Support Staff


Joined: Jan 23, 2003
Posts: 668

Location: USA
PostPosted: Fri Jun 27, 2003 9:24 am Reply with quoteBack to top
Hello,

If you can't wait for the sec fix 4 you can go to this URL http://www.phpbb.com/phpBB/viewtopic.php?t=113826 and do the fix yourself

_________________
If you shoot for the moon and miss, you'll still be amongst the stars.
Find all posts by foxyfemfemView user's profileSend private message
luchtzak
Support Mod
Support Mod


Joined: Mar 19, 2003
Posts: 308
PostPosted: Fri Jun 27, 2003 9:26 am Reply with quoteBack to top
Don't worry Sambeckett

_________________
Luchtzak Aviation - Snookerforum Belgium
Find all posts by luchtzakView user's profileSend private messageVisit poster's website
sambeckett
Corporal
Corporal


Joined: Jun 25, 2003
Posts: 63
PostPosted: Fri Jun 27, 2003 9:36 am Reply with quoteBack to top
when is 7.0 going to be released?
Find all posts by sambeckettView user's profileSend private message
luchtzak
Support Mod
Support Mod


Joined: Mar 19, 2003
Posts: 308
PostPosted: Fri Jun 27, 2003 9:41 am Reply with quoteBack to top
FB from www.phpnuke.org is busy with it!

ciao,

Bart

_________________
Luchtzak Aviation - Snookerforum Belgium
Find all posts by luchtzakView user's profileSend private messageVisit poster's website
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico
PostPosted: Fri Jun 27, 2003 10:40 am Reply with quoteBack to top
Since this and one other issue relate to security problems i don't think it'd be fair to hold back on them so here you go:

16-open viewtopic.php and before:
Code:
if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
      $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
      $topic_id = intval($HTTP_GET_VARS['topic']);
}


add:
Code:
$topic_id = $post_id = false;


Scroll down and find:
Code:
$join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";


Change that to:
Code:
$join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";


17-Open modules/Forums/admin/admin_styles.php and find:
Code:
//
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";

$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

if (empty($HTTP_POST_VARS['send_file']))
{
   $no_page_header = ( $cancel ) ? TRUE : FALSE;
   require($phpbb_root_path . 'extension.inc');
   require('./pagestart.' . $phpEx);
}

if ($cancel)
{
   redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}


Replace with:
Code:
//
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');

$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;

require('./pagestart.' . $phpEx);

if ($cancel)
{
   redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources

Last edited by chatserv on Fri Jun 27, 2003 12:16 pm; edited 1 time in total
Find all posts by chatservView user's profileSend private messageVisit poster's website
mikem
Theme Guru
Theme Guru


Joined: Jan 13, 2003
Posts: 1582

Location: Corn fields of Indiana
PostPosted: Fri Jun 27, 2003 10:46 am Reply with quoteBack to top
actually, as disgruntledtech said, we do not need the admin_styles.php file anymore in the phpBB in Nuke6.5 You can simply delete that file.
Vulnerablity solved there Wink

mikem

_________________
Getting Started | My Projects
Find all posts by mikemView user's profileSend private message
luchtzak
Support Mod
Support Mod


Joined: Mar 19, 2003
Posts: 308
PostPosted: Fri Jun 27, 2003 11:43 am Reply with quoteBack to top
Chatserv,

can you post the code as code since the php is messing things up with the code that I need to change in the files.

thanks,

Bart

_________________
Luchtzak Aviation - Snookerforum Belgium
Find all posts by luchtzakView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.223 Seconds - 273 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::