SECURITY WARNING!

Wolf on Air · Post by **Wolf on Air** » Sun Apr 11, 2004 5:20 pm

[Lothar is right - edited this out within minutes - I panicked, and forgot about the PM function]

Lothar · Post by **Lothar** » Sun Apr 11, 2004 5:26 pm

Maybe you should send this in a PM to Xciter, Sickone, and Topher rather than posting it in the open.

DCrazy · Post by **DCrazy** » Sun Apr 11, 2004 5:31 pm

Edited -- Xciter/Koolbear/Topher, see WoA or me for description of problem

Krom · Post by **Krom** » Sun Apr 11, 2004 6:06 pm

If its a big one, fix it, but otherwise theres not much point, this isnt even the latest version of phpbb so it lacks a number of security fixes that exist in 2.0.8a. Its too much of a pain to upgrade a BB with hacks installed anyway, you have to manually apply the updates one file at a time, or reinstall all the hacks everytime you upgrade.

Lothar · Post by **Lothar** » Sun Apr 11, 2004 6:07 pm

Isn't that why we don't have hacks installed?

SSX-Thunderbird · Post by **SSX-Thunderbird** » Sun Apr 11, 2004 6:10 pm

We do have hacks installed, however. The spoiler tag is one, and I'm sure a few others are around.

Krom · Post by **Krom** » Sun Apr 11, 2004 6:10 pm

[spoiler]This is a phpBB hack[/spoiler]

DCrazy · Post by **DCrazy** » Sun Apr 11, 2004 6:18 pm

Um... just so you know this security exploit -- which is present in 2.0.8 -- is not related to hacks in any way. It's a basic feature of phpBB and in order to be exploitable a generic PHP setting must be set a certain way.

Don't assume automatically that it has to do with the customizations in use on this BB. Technically, this entire layout is a "hack".

SSX-Thunderbird · Post by **SSX-Thunderbird** » Sun Apr 11, 2004 9:55 pm

The hacks we're referring to are things that changed the default phpBB files. This template is a separate entity, though it may have been derived from subSilver. phpBB updates don't affect templates at all, but they do affect hacks installed.

DCrazy · Post by **DCrazy** » Mon Apr 12, 2004 6:40 am

It doesn't matter. "Hacks" like the spoiler tag are completely secure. This vulnerability exists in core phpBB files.

Krom · Post by **Krom** » Mon Apr 12, 2004 9:26 am

Heh, and where exactly do you think a hack is implimented?

The exploit is more a problem with incorrect PHP settings then the BB software.

DCrazy · Post by **DCrazy** » Mon Apr 12, 2004 9:40 am

I know damn well how the "hacks" are implemented. Core phpBB files = files as they come with phpBB.

The particular file affected by this exploit isn't modified by any of the customizations on this board, to the best of my knowledge. And the only reason that the code is susceptible to the vulnerability is because of an error on the part of the programmer who wrote the particular file. I'm assuming you know the details of the exploit, Krom.

MD-2389 · Post by **MD-2389** » Tue Apr 13, 2004 12:43 am

Lothar wrote:Isn't that why we don't have hacks installed?

You realize that the only hacks that are installed are simple text edits....right? All thats required is to copy and paste the added lines (which are separated from everything else by comments) into notepad and re-add them after the upgrade. Its as simple as that.