Two vulnerabilities in 2.0.x phpBB

Corporal Joined: Jun 25, 2003 Posts: 63

http://www.phpbb.com/news.php?id=17

Does this effect php-nuke?

Are the fixes in the next release?

Posted: Fri Jun 27, 2003 8:34 am

These and other forum related issues will be covered in sec-fix patch 4, hopefully this will also be added to PHP-Nuke's core.

Corporal Joined: Jun 25, 2003 Posts: 63

where do you get sec-fix patch 4 ?

Posted: Fri Jun 27, 2003 8:47 am

sambeckett wrote:

where do you get sec-fix patch 4 ?

Quote:

will be covered in sec-fix patch 4

which means it is not released yet. Wink

Corporal Joined: Jun 25, 2003 Posts: 63

Ahh.. for now it will stay insecure. just like phpnuke 6.5 is in general.

When is 6.7 being released to the public? My system has be insecure for log enough and the web site doesnt have a release date.

Posted: Fri Jun 27, 2003 9:10 am

6.7 will not be released to the public according the developer of Nuke. The next scheduled PUBLIC release will be version 7.0.

I wouldn't worry too much about that little vulnerability. If you are currently running Nuke6.5 with secfix3 for it, then you are basically running Nuke6.7.

mikem

Posted: Fri Jun 27, 2003 9:24 am

Hello,

If you can't wait for the sec fix 4 you can go to this URL http://www.phpbb.com/phpBB/viewtopic.php?t=113826 and do the fix yourself

Support Mod Joined: Mar 19, 2003 Posts: 308

Don't worry Sambeckett

Corporal Joined: Jun 25, 2003 Posts: 63

when is 7.0 going to be released?

Support Mod Joined: Mar 19, 2003 Posts: 308

FB from www.phpnuke.org is busy with it!

ciao,

Bart

Posted: Fri Jun 27, 2003 10:40 am

Since this and one other issue relate to security problems i don't think it'd be fair to hold back on them so here you go:

16-open viewtopic.php and before:

Code:

if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
$topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
$topic_id = intval($HTTP_GET_VARS['topic']);
}

add:

Code:

$topic_id = $post_id = false;

Scroll down and find:

Code:

$join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";

Change that to:

Code:

$join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";

17-Open modules/Forums/admin/admin_styles.php and find:

Code:

//
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";

$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

if (empty($HTTP_POST_VARS['send_file']))
{
$no_page_header = ( $cancel ) ? TRUE : FALSE;
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
}

if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}

Replace with:

Code:

//
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');

$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;

require('./pagestart.' . $phpEx);

if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}

Posted: Fri Jun 27, 2003 10:46 am

actually, as disgruntledtech said, we do not need the admin_styles.php file anymore in the phpBB in Nuke6.5 You can simply delete that file.
Vulnerablity solved there Wink

mikem

Support Mod Joined: Mar 19, 2003 Posts: 308

Chatserv,

can you post the code as code since the php is messing things up with the code that I need to change in the files.

thanks,

Bart