phpBB 2.0.19 released

Published: 2005-12-30
Last Updated: 2005-12-31 11:04:37 UTC
by Swa Frantzen (Version: 2)
1 comment(s)
phpBB 2.0.19 has been released.

It looks like it's upgrade time for those of us running a phpBB forum. XSS and dictionary attacks against forum users seem to be on the menu.

Report of an upgrade I performed:

# download
# download the code from one of the mirrors you find
# through http://www.phpbb.com/downloads.php

# Since I try not to browse on the server it's a bit a pain to get to the URLs
# of the mirrors, still it's quite possible.

$ wget ...

# I usually get the patch file as it details the changes between the two releases
# and the changed files only as I'd rather get clean copies than have patch
# bail out due to some reason. I do have a modified board so sometimes I
# need to code myself to get these upgrades back in place.

# unpack
# unpack the files you fetched away from the live forum.

#copy (backup) and make sure the copy does not get used
$ cp -r forum forum.cp
$ chmod 0 forum.cp

#Change the files
admin/admin_board.php
# add new parameters to prevent brute forcing passwords of users
# remove quotes around a string that is assigned (not clear to me as to the rationale)
# perhaps others with deeper knowledge of PHP can explain the difference between:
  • $b = basename (...) ; $a = "$b" ;
  • $b = basename (...) ; $a = $b ;
admin/admin_db_utilities.php
# add sessions_keys to the list of the tables to be backed up

admin/admin_disallow.php
# removes the addition of a session key

admin/admin_ranks.php
# removal of the quotes, similar to admin/admin_board.php

admin/admin_styles.php
# dito

admin/admin_users.php
# added aditional processing when deleting users
# phpbb_clean_username() call added
# added ".." in path to the avatar location

admin/admin_words.php
# again the removal of the quotes, similar to admin/admin_board.php

admin/index.php
# allow version 5 of mysql
# add "./" in front of the filenames while building the menu

common.php
# change of the error message when in install and contrib directory are still
# present on a production system

include/bbcode.php
# most likely the XSS fixes:
#   tests for url= inside [url] tags
#   replaced the char " with "&quote;" for the [quote] tag

include/functions.php
# sql escaping of usernames

include/functions_post.php
# most likely the other XSS fix:
#   add " as a special char in addtion to those already being processed such as "&", "<" and ">"

include/usercp_confirm.php
# looks like the fix for those not having zlib

include/usercp_register.php
# change in stripping and length of usernames

language/lang_english/lang_admin.php
# added strings for the new variables to prevent brute forcing user passwords

language/lang_english/lang_main.php
# dito

# if you have other languages installed they will need the same modifications

l
ogin.php
# the prevention of the brute force attacks

privmsg.php
# similar change to the one in include/functions_post.php
# interestingly there might be an issue in private messages with XSS on forums.

templates/subSilver/admin/board_config_body.tpl
# support for the added variables for preventing the bruteforcing of the user passwords

templates/subSilver/admin/index_body.tpl
# the move of the version info towards the top of the page

# if you have other templates (probably based on subSilver), make similar changes there as well!

# copy the install and contrib directories (forum goes offline)
$ cp -r .../{contrib,install} forum

# surf to install/update_to_latest.php
$ lynx http://.../forum/install/update_to_latest.php
# this step updates the database

# remove contrib and install
$ rm -rf forum/contrib forum/install

# test

My conclusion from the changes in the source code are:
  • XSS issues in uploaded html (also in private messages between members)
  • XSS issues in the [url] and [quote] tags
  • fixes with new variables to control brute forcing login attempts
--
Swa Frantzen
Keywords:
1 comment(s)

Comments


Diary Archives