SECURITY WARNING!

For questions, special requests, or any complaints concerning the Descent BB.

Moderators: Krom, Lothar, Richard Cranium, KoolBear

Post Reply
User avatar
Wolf on Air
DBB Admiral
DBB Admiral
Posts: 1872
Joined: Mon Dec 13, 1999 3:01 am
Location: Stockholm, Sweden
Contact:

SECURITY WARNING!

Post by Wolf on Air »

[Lothar is right - edited this out within minutes - I panicked, and forgot about the PM function]
User avatar
Lothar
DBB Ghost Admin
DBB Ghost Admin
Posts: 12133
Joined: Thu Nov 05, 1998 12:01 pm
Location: I'm so glad to be home
Contact:

Post by Lothar »

Maybe you should send this in a PM to Xciter, Sickone, and Topher rather than posting it in the open.
User avatar
DCrazy
DBB Alumni
DBB Alumni
Posts: 8826
Joined: Wed Mar 15, 2000 3:01 am
Location: Seattle

Post by DCrazy »

Edited -- Xciter/Koolbear/Topher, see WoA or me for description of problem
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16138
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Post by Krom »

If its a big one, fix it, but otherwise theres not much point, this isnt even the latest version of phpbb so it lacks a number of security fixes that exist in 2.0.8a. Its too much of a pain to upgrade a BB with hacks installed anyway, you have to manually apply the updates one file at a time, or reinstall all the hacks everytime you upgrade.
User avatar
Lothar
DBB Ghost Admin
DBB Ghost Admin
Posts: 12133
Joined: Thu Nov 05, 1998 12:01 pm
Location: I'm so glad to be home
Contact:

Post by Lothar »

Isn't that why we don't have hacks installed?
User avatar
SSX-Thunderbird
DBB Admiral
DBB Admiral
Posts: 1275
Joined: Sun Jun 03, 2001 2:01 am
Location: Washington (the state, not the city)

Post by SSX-Thunderbird »

We do have hacks installed, however. The spoiler tag is one, and I'm sure a few others are around.
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16138
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Post by Krom »

[spoiler]This is a phpBB hack[/spoiler]
User avatar
DCrazy
DBB Alumni
DBB Alumni
Posts: 8826
Joined: Wed Mar 15, 2000 3:01 am
Location: Seattle

Post by DCrazy »

Um... just so you know this security exploit -- which is present in 2.0.8 -- is not related to hacks in any way. It's a basic feature of phpBB and in order to be exploitable a generic PHP setting must be set a certain way.

Don't assume automatically that it has to do with the customizations in use on this BB. Technically, this entire layout is a "hack".
User avatar
SSX-Thunderbird
DBB Admiral
DBB Admiral
Posts: 1275
Joined: Sun Jun 03, 2001 2:01 am
Location: Washington (the state, not the city)

Post by SSX-Thunderbird »

The hacks we're referring to are things that changed the default phpBB files. This template is a separate entity, though it may have been derived from subSilver. phpBB updates don't affect templates at all, but they do affect hacks installed.
User avatar
DCrazy
DBB Alumni
DBB Alumni
Posts: 8826
Joined: Wed Mar 15, 2000 3:01 am
Location: Seattle

Post by DCrazy »

It doesn't matter. "Hacks" like the spoiler tag are completely secure. This vulnerability exists in core phpBB files.
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16138
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Post by Krom »

Heh, and where exactly do you think a hack is implimented?

The exploit is more a problem with incorrect PHP settings then the BB software.
User avatar
DCrazy
DBB Alumni
DBB Alumni
Posts: 8826
Joined: Wed Mar 15, 2000 3:01 am
Location: Seattle

Post by DCrazy »

I know damn well how the "hacks" are implemented. Core phpBB files = files as they come with phpBB.

The particular file affected by this exploit isn't modified by any of the customizations on this board, to the best of my knowledge. And the only reason that the code is susceptible to the vulnerability is because of an error on the part of the programmer who wrote the particular file. I'm assuming you know the details of the exploit, Krom.
MD-2389
Defender of the Night
Defender of the Night
Posts: 13477
Joined: Thu Nov 05, 1998 12:01 pm
Location: Olathe, KS
Contact:

Post by MD-2389 »

Lothar wrote:Isn't that why we don't have hacks installed?
You realize that the only hacks that are installed are simple text edits....right? All thats required is to copy and paste the added lines (which are separated from everything else by comments) into notepad and re-add them after the upgrade. Its as simple as that.
Post Reply