security issue

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
timbercrawler
Registered User
Posts: 99
Joined: Mon Jul 21, 2003 1:25 am
Location: Seattle
Contact:

security issue

Post by timbercrawler »

someone posted this at my forums today:

http://timbercrawler.com/bb/phpBB2/viewtopic.php?t=2246

is this the same issue as this?

http://www.phpbb.com/phpBB/viewtopic.php?t=135116

If not, does anyone know if a fix is available or in the works for this? I know I can delete this post through phpMyAdmin with no trouble as there is no script to stop it but what the heck? I can't delete or edit this post from the boards as admin (says invalid_sessionid) and if i click reply it logs me out. i tried to contact the poster but he split the scene in a hurry. Thanks for any help, this just pisses me off.
User avatar
DiamondBack
Registered User
Posts: 766
Joined: Mon Jan 26, 2004 8:33 pm

Post by DiamondBack »

It is the same issue and if you read, there is an unofficial third party fix in there.

Use it at your own risk.
ALWAYS REMEMBER TO BACKUP ANY FILE YOU ARE GOING TO EDIT ! ! !

I recommend isphost.org for free phpbb installations
timbercrawler
Registered User
Posts: 99
Joined: Mon Jul 21, 2003 1:25 am
Location: Seattle
Contact:

Post by timbercrawler »

Well IF it is the same issue - doesn't that mean if I install the 2.0.7 patch files it will be taken care of? I won't install 3rd party stuff until I have time to go over it line by line. Will 2.0.7 fix this? Thanks.
User avatar
DiamondBack
Registered User
Posts: 766
Joined: Mon Jan 26, 2004 8:33 pm

Post by DiamondBack »

It has not been addressed yet by phpBB. So no, 207 is not a fix.
ALWAYS REMEMBER TO BACKUP ANY FILE YOU ARE GOING TO EDIT ! ! !

I recommend isphost.org for free phpbb installations
User avatar
darlin001
Registered User
Posts: 174
Joined: Sat May 24, 2003 9:45 am

Post by darlin001 »

Well, I thought that this exploit was not so serious, according to phpBB Devs. Turns out that the Devs could be wrong, or in denial? These exploits do work, even on 2.07a.
Looking for Superior hosting service? Then check out the host that I've been using for the past 3 years.
Lunarpages
darlin001
timbercrawler
Registered User
Posts: 99
Joined: Mon Jul 21, 2003 1:25 am
Location: Seattle
Contact:

Post by timbercrawler »

Exactly. if someone chimes in that they are working on it I'd feel better :D I am way to busy to look into it myself, I have a web firm to run. It looks like this is session variable related ad I know I have tackled this in shopping cart script. if it is the same idea it is a PITA to resolve.
User avatar
darlin001
Registered User
Posts: 174
Joined: Sat May 24, 2003 9:45 am

Post by darlin001 »

is this the same issue as this?

http://www.phpbb.com/phpBB/viewtopic.php?t=135116


No, this affects all newer versions too. That post is 6 months old.
They failed to mention that you can also delete any post on a forum as well.
Looking for Superior hosting service? Then check out the host that I've been using for the past 3 years.
Lunarpages
darlin001
Locked

Return to “2.0.x Support Forum”