Jump to content

Phpbb Vulnerability (versions Older Than 2.0.11)


MikeJ
 Share

Recommended Posts

A vulnerability was discovered recently in phpBB versions prior to 2.0.11.

 

Description

===========

 

phpBB contains a vulnerability in the highlighting code and several

vulnerabilities in the username handling code.

 

Impact

======

 

An attacker can exploit the highlighting vulnerability to access the

PHP exec() function without restriction, allowing them to run arbitrary

commands with the rights of the web server user (for example the apache

user). Furthermore, the username handling vulnerability might be abused

to execute SQL statements on the phpBB database.

 

2.0.11 is now available in your cPanel and you should be able to upgrade to it via the cPanel upgrade option. If you use phpBB, you should upgrade to 2.0.11. If you have phpBB installed but are not using it, please consider uninstalling it.

 

Note: If you find that 2.0.11 is not available in your cPanel, please send in a support ticket.

Edited by TCH-MikeJ
Link to comment
Share on other sites

I probably need to open a help ticket for this but thought I would ask here first.

 

When I go to the phpbb page in c-panel to upgrade the box next to *upgrade an existing installation* is empty.

I tried adding the user and pass info and directory name where phpbb is installed then clicked on the upgrade button I get apage that says *Sorry, you must specifty a directory to install or upgrade*

I am using v.2.0.6 installed thru c-panel.

 

Suggestions?

Link to comment
Share on other sites

I highly suggest using the "password protect a directory"

function on the /forums/admin/ directory. Thus you add

another layer of security in case someone's able to hack

"admin rights" somehow. To admin the forums you need

phpBB admin rights AND the user/pass that you setup in

the Cpanel. You can never be too safe. I just did it now

for all of my phpBB sites. No idea why I never thought to

go ahead and do it to them in the past.

Link to comment
Share on other sites

  • 2 months later...

I patched the remote execution vulnerability when I read about this problem (likely on C|Net) last year. However, I had not upgraded to phpBB 2.0.11 (it didn't seem to be available on my server, if I recall).

 

Last Friday (2/11), I got an E-mail telling me I was running an insecure version of phpBB. I just now (2/14 2:45 AM PST or so) upgraded to 2.0.11. However, I have three questions.

 

First, why did it take so long to get this E-mail? This thread was started back in November, so it took over two months to get warned.

 

Second, the message said if I didn't upgrade within 24 hours, my forum would be disabled. I didn't notice the E-mail until 24 hours were up (my laptop died Friday, so I was worrying about that). Did my forum get disabled? It seemed to be working just before I upgraded, so I'm wondering if that "24 hours" was just a minimum or if it was actually referring to one business day (which would be appropriate for a note sent on a Friday).

 

Finally, I seemed to be getting some errors regarding phpBB and MySQL. Here they are:

[Mon Feb 14 05:34:26 2005][error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 05:34:26 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 05:34:26 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 05:34:00 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 05:34:00 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 05:34:00 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 05:21:09 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 05:21:09 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 05:21:09 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 04:31:11 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 04:31:11 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 04:31:11 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 04:31:05 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 04:31:05 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 04:31:05 2005] [error] PHP Warning:  mysql_connect(): Lost connection to MySQL server during query in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

Are those indications that my forum was disabled, was somebody trying to hack my forum or is there some other explanation?

 

The forum is still working for me after the upgrade, but would somebody verify that other users can see it? It's at http://forum.svpocketpc.com if you'd care to check it.

 

Thanks,

Steve

Link to comment
Share on other sites

Hi Steve, I can see your forum fine and it is updated.

 

You didn't receive the email before you did because it was only sent last week.

 

The security bulletin was posted on the forums in November. Some people upgraded when it was posted. phpBB boards came under attack to this vulnerability early last week. TCH made a decision to send the email and start disabling the non-secure phpBB forums to protect the servers if updates were not applied.

 

Don't know what the error messages mean. Are you still getting them?

Link to comment
Share on other sites

  • 2 weeks later...

Hello Mike,

 

 

I´m have success in upgrade phpBB 2.0.10 for phpBB 2.0.11 .

 

Now, alll my sites in PHPnuke now Powered by phpBB 2.0.11 © 2001 phpBB Group

 

It was easy.. :thumbup1:

 

Thank´s for you attencion.

Link to comment
Share on other sites

  • 5 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...