MikeJ Posted November 30, 2004 Posted November 30, 2004 (edited) A vulnerability was discovered recently in phpBB versions prior to 2.0.11. Description=========== phpBB contains a vulnerability in the highlighting code and several vulnerabilities in the username handling code. Impact ====== An attacker can exploit the highlighting vulnerability to access the PHP exec() function without restriction, allowing them to run arbitrary commands with the rights of the web server user (for example the apache user). Furthermore, the username handling vulnerability might be abused to execute SQL statements on the phpBB database. 2.0.11 is now available in your cPanel and you should be able to upgrade to it via the cPanel upgrade option. If you use phpBB, you should upgrade to 2.0.11. If you have phpBB installed but are not using it, please consider uninstalling it. Note: If you find that 2.0.11 is not available in your cPanel, please send in a support ticket. Edited December 8, 2004 by TCH-MikeJ Quote
KungFòóFairy Posted November 30, 2004 Posted November 30, 2004 My site resides on Server #86 and I don't have the option to upgrade to 2.0.11 yet; it still has the old 2.0.10 upgrade option only. I suppose I could just download the binary from phpbb.com and manually upgrade it, but I'm just so darn lazy... Quote
Head Guru Posted November 30, 2004 Posted November 30, 2004 Drop a ticket into support and ask that the box be upgraded and if you like reference this thread Bill Quote
TCH-Bruce Posted December 1, 2004 Posted December 1, 2004 Before you upgrade please backup your logo image if you changed it and your overall_header.tpl file if you modified it. And any other .tpl files you may have changed. Then after upgrading put those files back to their proper locations. Quote
curtis Posted December 1, 2004 Posted December 1, 2004 I probably need to open a help ticket for this but thought I would ask here first. When I go to the phpbb page in c-panel to upgrade the box next to *upgrade an existing installation* is empty. I tried adding the user and pass info and directory name where phpbb is installed then clicked on the upgrade button I get apage that says *Sorry, you must specifty a directory to install or upgrade* I am using v.2.0.6 installed thru c-panel. Suggestions? Quote
TCH-Don Posted December 1, 2004 Posted December 1, 2004 Maybe a help ticket is worth the try to see if they know a way to get cpanel to see your current install. One other option might be the changed files only after a backup of mods of course. Quote
curtis Posted December 1, 2004 Posted December 1, 2004 Its no problem. Just thought about upgrading from c-panel. I went to phpbb site, downloaded the upgrade and replaced the changed files. I'll only have to re-install 2 or 3 Mods Thanks Don Quote
thehemi Posted December 8, 2004 Posted December 8, 2004 I highly suggest using the "password protect a directory" function on the /forums/admin/ directory. Thus you add another layer of security in case someone's able to hack "admin rights" somehow. To admin the forums you need phpBB admin rights AND the user/pass that you setup in the Cpanel. You can never be too safe. I just did it now for all of my phpBB sites. No idea why I never thought to go ahead and do it to them in the past. Quote
Pony99CA Posted February 14, 2005 Posted February 14, 2005 I patched the remote execution vulnerability when I read about this problem (likely on C|Net) last year. However, I had not upgraded to phpBB 2.0.11 (it didn't seem to be available on my server, if I recall). Last Friday (2/11), I got an E-mail telling me I was running an insecure version of phpBB. I just now (2/14 2:45 AM PST or so) upgraded to 2.0.11. However, I have three questions. First, why did it take so long to get this E-mail? This thread was started back in November, so it took over two months to get warned. Second, the message said if I didn't upgrade within 24 hours, my forum would be disabled. I didn't notice the E-mail until 24 hours were up (my laptop died Friday, so I was worrying about that). Did my forum get disabled? It seemed to be working just before I upgraded, so I'm wondering if that "24 hours" was just a minimum or if it was actually referring to one business day (which would be appropriate for a note sent on a Friday). Finally, I seemed to be getting some errors regarding phpBB and MySQL. Here they are: [Mon Feb 14 05:34:26 2005][error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331[Mon Feb 14 05:34:26 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330 [Mon Feb 14 05:34:26 2005] [error] PHP Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48 [Mon Feb 14 05:34:00 2005] [error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331 [Mon Feb 14 05:34:00 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330 [Mon Feb 14 05:34:00 2005] [error] PHP Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48 [Mon Feb 14 05:21:09 2005] [error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331 [Mon Feb 14 05:21:09 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330 [Mon Feb 14 05:21:09 2005] [error] PHP Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48 [Mon Feb 14 04:31:11 2005] [error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331 [Mon Feb 14 04:31:11 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330 [Mon Feb 14 04:31:11 2005] [error] PHP Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48 [Mon Feb 14 04:31:05 2005] [error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331 [Mon Feb 14 04:31:05 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330 [Mon Feb 14 04:31:05 2005] [error] PHP Warning: mysql_connect(): Lost connection to MySQL server during query in /home/pocketpc/public_html/forum/db/mysql4.php on line 48 Are those indications that my forum was disabled, was somebody trying to hack my forum or is there some other explanation? The forum is still working for me after the upgrade, but would somebody verify that other users can see it? It's at http://forum.svpocketpc.com if you'd care to check it. Thanks, Steve Quote
TCH-Thomas Posted February 14, 2005 Posted February 14, 2005 I can´t answer the other questions but this one... I can see your forum and it says 2.0.11, so I guess you are safe. Quote
TCH-Bruce Posted February 14, 2005 Posted February 14, 2005 Hi Steve, I can see your forum fine and it is updated. You didn't receive the email before you did because it was only sent last week. The security bulletin was posted on the forums in November. Some people upgraded when it was posted. phpBB boards came under attack to this vulnerability early last week. TCH made a decision to send the email and start disabling the non-secure phpBB forums to protect the servers if updates were not applied. Don't know what the error messages mean. Are you still getting them? Quote
Prel Posted February 18, 2005 Posted February 18, 2005 Hi, In PHPNuke 7.6 the PHPBB is 2.0.10 As I make upgrade ? Thank´s Quote
MikeJ Posted February 18, 2005 Author Posted February 18, 2005 Hi, In PHPNuke 7.6 the PHPBB is 2.0.10 As I make upgrade ? <{POST_SNAPBACK}> I'm not an expert on PHP-Nuke, but a quick search shows a BBtoNuke 2.0.11 download at nukeresources.com and some instruction on how to do the upgrade. Quote
Prel Posted March 4, 2005 Posted March 4, 2005 Hello Mike, I´m have success in upgrade phpBB 2.0.10 for phpBB 2.0.11 . Now, alll my sites in PHPnuke now Powered by phpBB 2.0.11 © 2001 phpBB Group It was easy.. Thank´s for you attencion. Quote
TCH-Bruce Posted March 4, 2005 Posted March 4, 2005 Paulo, there have been two more patches released since this. The latest version is 2.0.13. Check here (2.0.12) and here (2.0.13) for more info. Quote
erisande Posted April 3, 2005 Posted April 3, 2005 Paulo, there have been two more patches released since this. The latest version is 2.0.13. Check here (2.0.12) and here (2.0.13) for more info. <{POST_SNAPBACK}> Should we manually upgrade to this new version, or is TCH going to spooprt the upgrade through the control panel? Quote
TCH-Bruce Posted April 3, 2005 Posted April 3, 2005 Yes you will have to upgrade manually. TCH does not control when cPanel will add the latest patch. Quote
erisande Posted April 3, 2005 Posted April 3, 2005 Yes you will have to upgrade manually. TCH does not control when cPanel will add the latest patch. <{POST_SNAPBACK}> Thanks for the quick response! I will look into it and see how to upgrade. Quote
tomowa Posted April 3, 2005 Posted April 3, 2005 Hi erisande, We had a bit of disscusion about upgrade to .13 here, if it is any help to you http://www.totalchoicehosting.com/forums/i...81entry122781 HTH, Tom Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.