Phpbb Vulnerability (versions Older Than 2.0.11)

[MikeJ]

A vulnerability was discovered recently in phpBB versions prior to 2.0.11.

 

Description

===========

 

phpBB contains a vulnerability in the highlighting code and several

vulnerabilities in the username handling code.

 

Impact

======

 

An attacker can exploit the highlighting vulnerability to access the

PHP exec() function without restriction, allowing them to run arbitrary

commands with the rights of the web server user (for example the apache

user). Furthermore, the username handling vulnerability might be abused

to execute SQL statements on the phpBB database.

 

2.0.11 is now available in your cPanel and you should be able to upgrade to it via the cPanel upgrade option. If you use phpBB, you should upgrade to 2.0.11. If you have phpBB installed but are not using it, please consider uninstalling it.

 

Note: If you find that 2.0.11 is not available in your cPanel, please send in a support ticket.

Edited December 8, 2004 by TCH-MikeJ

[KungFòóFairy]

My site resides on Server #86 and I don't have the option to upgrade to 2.0.11 yet; it still has the old 2.0.10 upgrade option only. I suppose I could just download the binary from phpbb.com and manually upgrade it, but I'm just so darn lazy...

[Head Guru]

Drop a ticket into support and ask that the box be upgraded and if you like reference this thread

 

Bill

[TCH-Bruce]

Before you upgrade please backup your logo image if you changed it and your overall_header.tpl file if you modified it. And any other .tpl files you may have changed.

 

Then after upgrading put those files back to their proper locations.

[curtis]

I probably need to open a help ticket for this but thought I would ask here first.

 

When I go to the phpbb page in c-panel to upgrade the box next to *upgrade an existing installation* is empty.

I tried adding the user and pass info and directory name where phpbb is installed then clicked on the upgrade button I get apage that says *Sorry, you must specifty a directory to install or upgrade*

I am using v.2.0.6 installed thru c-panel.

 

Suggestions?

[TCH-Don]

Maybe a help ticket is worth the try to see if they know a way to get cpanel to see your current install.

 

One other option might be the changed files only

after a backup of mods of course.

[curtis]

Its no problem. Just thought about upgrading from c-panel.

 

I went to phpbb site, downloaded the upgrade and replaced the changed files. I'll only have to re-install 2 or 3 Mods

 

Thanks Don

[thehemi]

I highly suggest using the "password protect a directory"

function on the /forums/admin/ directory. Thus you add

another layer of security in case someone's able to hack

"admin rights" somehow. To admin the forums you need

phpBB admin rights AND the user/pass that you setup in

the Cpanel. You can never be too safe. I just did it now

for all of my phpBB sites. No idea why I never thought to

go ahead and do it to them in the past.

[Pony99CA]

I patched the remote execution vulnerability when I read about this problem (likely on C|Net) last year. However, I had not upgraded to phpBB 2.0.11 (it didn't seem to be available on my server, if I recall).

 

Last Friday (2/11), I got an E-mail telling me I was running an insecure version of phpBB. I just now (2/14 2:45 AM PST or so) upgraded to 2.0.11. However, I have three questions.

 

First, why did it take so long to get this E-mail? This thread was started back in November, so it took over two months to get warned.

 

Second, the message said if I didn't upgrade within 24 hours, my forum would be disabled. I didn't notice the E-mail until 24 hours were up (my laptop died Friday, so I was worrying about that). Did my forum get disabled? It seemed to be working just before I upgraded, so I'm wondering if that "24 hours" was just a minimum or if it was actually referring to one business day (which would be appropriate for a note sent on a Friday).

 

Finally, I seemed to be getting some errors regarding phpBB and MySQL. Here they are:

[Mon Feb 14 05:34:26 2005][error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 05:34:26 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 05:34:26 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 05:34:00 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 05:34:00 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 05:34:00 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 05:21:09 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 05:21:09 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 05:21:09 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 04:31:11 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 04:31:11 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 04:31:11 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 04:31:05 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 04:31:05 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 04:31:05 2005] [error] PHP Warning:  mysql_connect(): Lost connection to MySQL server during query in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

Are those indications that my forum was disabled, was somebody trying to hack my forum or is there some other explanation?

 

The forum is still working for me after the upgrade, but would somebody verify that other users can see it? It's at http://forum.svpocketpc.com if you'd care to check it.

 

Thanks,

Steve

[TCH-Thomas]

I can´t answer the other questions but this one...

I can see your forum and it says 2.0.11, so I guess you are safe.

[TCH-Bruce]

Hi Steve, I can see your forum fine and it is updated.

 

You didn't receive the email before you did because it was only sent last week.

 

The security bulletin was posted on the forums in November. Some people upgraded when it was posted. phpBB boards came under attack to this vulnerability early last week. TCH made a decision to send the email and start disabling the non-secure phpBB forums to protect the servers if updates were not applied.

 

Don't know what the error messages mean. Are you still getting them?

[Prel]

Hi,

 

In PHPNuke 7.6 the PHPBB is 2.0.10

 

As I make upgrade ?

 

Thank´s

[MikeJ]

Hi,

 

In PHPNuke 7.6 the PHPBB is 2.0.10

 

As I make upgrade ?

<{POST_SNAPBACK}>

 

I'm not an expert on PHP-Nuke, but a quick search shows a BBtoNuke 2.0.11 download at nukeresources.com and some instruction on how to do the upgrade.

[Prel]

Hello Mike,

 

 

I´m have success in upgrade phpBB 2.0.10 for phpBB 2.0.11 .

 

Now, alll my sites in PHPnuke now Powered by phpBB 2.0.11 © 2001 phpBB Group

 

It was easy..

 

Thank´s for you attencion.

[TCH-Bruce]

Paulo, there have been two more patches released since this. The latest version is 2.0.13.

 

Check here (2.0.12) and here (2.0.13) for more info.

[erisande]

Paulo, there have been two more patches released since this.  The latest version is 2.0.13.

 

Check here (2.0.12) and here (2.0.13) for more info.

<{POST_SNAPBACK}>

Should we manually upgrade to this new version, or is TCH going to spooprt the upgrade through the control panel?

[TCH-Bruce]

Yes you will have to upgrade manually. TCH does not control when cPanel will add the latest patch.

[erisande]

Yes you will have to upgrade manually.  TCH does not control when cPanel will add the latest patch.

<{POST_SNAPBACK}>

Thanks for the quick response! I will look into it and see how to upgrade.

[tomowa]

Hi erisande,

 

We had a bit of disscusion about upgrade to .13 here, if it is any help to you http://www.totalchoicehosting.com/forums/i...81entry122781

 

HTH, Tom

[erisande]

Looking into it, thanks!