The viewtopic vulnerability, again released to bugtraq without us first being notified ... sigh, is of the cross-site scripting type. While relatively minor it can allow information to be obtained without the users direct knowledge. Thus we recommend all admins upgrade their board as soon as possible. The relevant fix is noted below. The login issue is similar in nature and has been addressed to counter potential future problems.
A number of people have encountered problems running phpBB (and other applications) on servers using Zend Optimizer 2.5 (note the number!). While this is not directly a phpBB issue a keen user, jetset, has discovered a number of code additions which should reduce or remove this problem. These fixes are included in the new packages. Because they involve a number of files they are not noted in this topic. Zend do seem to be aware of problems with the optimiser and are planning an updated release in the near future.
Vulnerability fix:
Open viewtopic.php in your favourite text editor. Find the following section of code:
Code: Select all
//
// Decide how to order the post display
//
if ( !empty($HTTP_POST_VARS['postorder']) || !empty($HTTP_GET_VARS['postorder']) )
{
$post_order = (!empty($HTTP_POST_VARS['postorder'])) ? $HTTP_POST_VARS['postorder'] : $HTTP_GET_VARS['postorder'];
$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
$post_order = 'asc';
$post_time_order = 'ASC';
}
Code: Select all
//
// Decide how to order the post display
//
if ( !empty($HTTP_POST_VARS['postorder']) || !empty($HTTP_GET_VARS['postorder']) )
{
$post_order = (!empty($HTTP_POST_VARS['postorder'])) ? htmlspecialchars($HTTP_POST_VARS['postorder']) : htmlspecialchars($HTTP_GET_VARS['postorder']);
$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
$post_order = 'asc';
$post_time_order = 'ASC';
}