Jump to content
MikeJ

Phpbb Vulnerability (versions Older Than 2.0.11)

Recommended Posts

A vulnerability was discovered recently in phpBB versions prior to 2.0.11.

 

Description

===========

 

phpBB contains a vulnerability in the highlighting code and several

vulnerabilities in the username handling code.

 

Impact

======

 

An attacker can exploit the highlighting vulnerability to access the

PHP exec() function without restriction, allowing them to run arbitrary

commands with the rights of the web server user (for example the apache

user). Furthermore, the username handling vulnerability might be abused

to execute SQL statements on the phpBB database.

 

2.0.11 is now available in your cPanel and you should be able to upgrade to it via the cPanel upgrade option. If you use phpBB, you should upgrade to 2.0.11. If you have phpBB installed but are not using it, please consider uninstalling it.

 

Note: If you find that 2.0.11 is not available in your cPanel, please send in a support ticket.

Edited by TCH-MikeJ

Share this post


Link to post
Share on other sites

My site resides on Server #86 and I don't have the option to upgrade to 2.0.11 yet; it still has the old 2.0.10 upgrade option only. :) I suppose I could just download the binary from phpbb.com and manually upgrade it, but I'm just so darn lazy...

Share this post


Link to post
Share on other sites

Drop a ticket into support and ask that the box be upgraded and if you like reference this thread :)

 

Bill

Share this post


Link to post
Share on other sites

Before you upgrade please backup your logo image if you changed it and your overall_header.tpl file if you modified it. And any other .tpl files you may have changed.

 

Then after upgrading put those files back to their proper locations. :)

Share this post


Link to post
Share on other sites

I probably need to open a help ticket for this but thought I would ask here first.

 

When I go to the phpbb page in c-panel to upgrade the box next to *upgrade an existing installation* is empty.

I tried adding the user and pass info and directory name where phpbb is installed then clicked on the upgrade button I get apage that says *Sorry, you must specifty a directory to install or upgrade*

I am using v.2.0.6 installed thru c-panel.

 

Suggestions?

Share this post


Link to post
Share on other sites

Maybe a help ticket is worth the try to see if they know a way to get cpanel to see your current install.

 

One other option might be the changed files only

after a backup of mods of course.

Share this post


Link to post
Share on other sites

Its no problem. Just thought about upgrading from c-panel.

 

I went to phpbb site, downloaded the upgrade and replaced the changed files. I'll only have to re-install 2 or 3 Mods

 

Thanks Don

Share this post


Link to post
Share on other sites

I highly suggest using the "password protect a directory"

function on the /forums/admin/ directory. Thus you add

another layer of security in case someone's able to hack

"admin rights" somehow. To admin the forums you need

phpBB admin rights AND the user/pass that you setup in

the Cpanel. You can never be too safe. I just did it now

for all of my phpBB sites. No idea why I never thought to

go ahead and do it to them in the past.

Share this post


Link to post
Share on other sites

I patched the remote execution vulnerability when I read about this problem (likely on C|Net) last year. However, I had not upgraded to phpBB 2.0.11 (it didn't seem to be available on my server, if I recall).

 

Last Friday (2/11), I got an E-mail telling me I was running an insecure version of phpBB. I just now (2/14 2:45 AM PST or so) upgraded to 2.0.11. However, I have three questions.

 

First, why did it take so long to get this E-mail? This thread was started back in November, so it took over two months to get warned.

 

Second, the message said if I didn't upgrade within 24 hours, my forum would be disabled. I didn't notice the E-mail until 24 hours were up (my laptop died Friday, so I was worrying about that). Did my forum get disabled? It seemed to be working just before I upgraded, so I'm wondering if that "24 hours" was just a minimum or if it was actually referring to one business day (which would be appropriate for a note sent on a Friday).

 

Finally, I seemed to be getting some errors regarding phpBB and MySQL. Here they are:

[Mon Feb 14 05:34:26 2005][error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 05:34:26 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 05:34:26 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 05:34:00 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 05:34:00 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 05:34:00 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 05:21:09 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 05:21:09 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 05:21:09 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 04:31:11 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 04:31:11 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 04:31:11 2005] [error] PHP Warning:  mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

[Mon Feb 14 04:31:05 2005] [error] PHP Warning:  mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331

[Mon Feb 14 04:31:05 2005] [error] PHP Warning:  mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330

[Mon Feb 14 04:31:05 2005] [error] PHP Warning:  mysql_connect(): Lost connection to MySQL server during query in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

Are those indications that my forum was disabled, was somebody trying to hack my forum or is there some other explanation?

 

The forum is still working for me after the upgrade, but would somebody verify that other users can see it? It's at http://forum.svpocketpc.com if you'd care to check it.

 

Thanks,

Steve

Share this post


Link to post
Share on other sites

I can´t answer the other questions but this one...

I can see your forum and it says 2.0.11, so I guess you are safe. :(

Share this post


Link to post
Share on other sites

Hi Steve, I can see your forum fine and it is updated.

 

You didn't receive the email before you did because it was only sent last week.

 

The security bulletin was posted on the forums in November. Some people upgraded when it was posted. phpBB boards came under attack to this vulnerability early last week. TCH made a decision to send the email and start disabling the non-secure phpBB forums to protect the servers if updates were not applied.

 

Don't know what the error messages mean. Are you still getting them?

Share this post


Link to post
Share on other sites

Hi,

 

In PHPNuke 7.6 the PHPBB is 2.0.10

 

As I make upgrade ? :clapping:

 

Thank´s

Share this post


Link to post
Share on other sites

Hello Mike,

 

 

I´m have success in upgrade phpBB 2.0.10 for phpBB 2.0.11 .

 

Now, alll my sites in PHPnuke now Powered by phpBB 2.0.11 © 2001 phpBB Group

 

It was easy.. :thumbup1:

 

Thank´s for you attencion.

Share this post


Link to post
Share on other sites

Yes you will have to upgrade manually. TCH does not control when cPanel will add the latest patch.

Share this post


Link to post
Share on other sites
Yes you will have to upgrade manually.  TCH does not control when cPanel will add the latest patch.

Thanks for the quick response! I will look into it and see how to upgrade.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...