phpBB • Creating Communities Worldwide

[Acyd Burn]

We've been notified of a flaw in search.php. This, under the right circumstances with certain server versions be exploited to obtain password hashes. All existing users of phpBB 2.0.x make the changes specified below, it is highly recommended.

We have now updated all archives (for 2.0.7) as made available on the download page here. Therefore all new installations and upgrades will be immune.

We appologize to not have reacted earlier and for the bug in the redirection code introduced while fixing another security bug.

To fix this flaw please open search.php in any text editor and follow the following instructions:

FIND:

Code: Select all

$show_results = ( isset($HTTP_POST_VARS['show_results']) ) ? $HTTP_POST_VARS['show_results'] : 'posts';


AFTER, ADD:

Code: Select all

$show_results = ($show_results == 'topics') ? 'topics' : 'posts';


FIND:

Code: Select all

   $store_vars = array('search_results', 'total_match_count', 'split_search', 'sort_by', 'sort_dir', 'show_results', 'return_chars');


AFTER, ADD:

Code: Select all

   $search_results = '';


To fix the redirect problems:


Open login.php:

FIND:

Code: Select all

                  $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";


REPLACE WITH:

Code: Select all

                 
   $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "index.$phpEx";


FIND:

Code: Select all

               $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : '';


REPLACE WITH:

Code: Select all

               $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';


FIND:

Code: Select all

         $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "";


REPLACE WITH:

Code: Select all

 
         $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "";


FIND:

Code: Select all

         $url = (!empty($HTTP_POST_VARS['redirect'])) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : htmlspecialchars($HTTP_GET_VARS['redirect']);


AFTER, ADD:

Code: Select all

         $url = str_replace('&', '&', $url);


FIND:

Code: Select all

      $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";


REPLACE WITH:

Code: Select all

      $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "index.$phpEx";


For completeness, here the small fix for the correct row colour display at private messaging:

Open privmsg.php:

FIND:

Code: Select all

   message_die(GENERAL_ERROR, 'Could not query private messages', '', __LINE__, __FILE__, $sql);
}

if ( $row = $db->sql_fetchrow($result) )
{


AFTER, ADD:

Code: Select all

   $i = 0;


FIND:

Code: Select all

      $row_color = ( !($i % 2) ) ? $theme['td_color1'] : $theme['td_color2'];
      $row_class = ( !($i % 2) ) ? $theme['td_class1'] : $theme['td_class2'];


AFTER, ADD:

Code: Select all

      $i++;


Save and if necessary upload the changed files to your webserver replacing your existing versions.

[SHS`]

We urge everyone who has upgraded to the older phpBB2.0.7 to update as soon as possible to phpBB2.0.7a.

For those that are still running versions of phpBB older than 2.0.6, please do yourselves a favour and upgrade to the current version ASAP as there have been many bug fixes as detailed in the CHANGELOG.