Question regarding phpBB 2.0.13 - Critical Update

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
sanjo
Registered User
Posts: 67
Joined: Fri Oct 29, 2004 4:39 am

Question regarding phpBB 2.0.13 - Critical Update

Post by sanjo »

hi there,

Is it possible that the phpBB 2.0.13 'security whole' doesn't work on every system? I've tried it on PHP5, PHP4 and PHP4 (register_globals = on) using the following script...maybe it's a PHP3 issue only? You guys should have said that in the announcement and not make everyone panic ;)

Code: Select all

<?php
$sessiondata['autologinid'] = "hello"; //array
$auto_login_key = "hello"; //no array
$auto_login_key2['test'] = "hello"; //array

//compare array vs. no array
var_dump($sessiondata == $auto_login_key); // bool(false)
var_dump($sessiondata === $auto_login_key); // bool(false)

echo "<br />";

//compare array vs. no array (explicit array name)
var_dump($sessiondata['autologinid'] == $auto_login_key); // bool(true)
var_dump($sessiondata['autologinid'] === $auto_login_key); // bool(true)

echo "<br />";

//compare array vs. array
var_dump($sessiondata['autologinid'] == $auto_login_key2); // bool(true)
var_dump($sessiondata['autologinid'] === $auto_login_key2); // bool(true)

echo "<br />";

//compare array vs. array (both explicit array names)
var_dump($sessiondata['autologinid'] == $auto_login_key2['test']); // bool(true)
var_dump($sessiondata['autologinid'] === $auto_login_key2['test']); // bool(true)

echo "<br />";
echo "<br />";

$sessiondata3['autologinid'] = "hello"; //array
$auto_login_key3['whatever'] = "hello2"; //array
$auto_login_key4 = "hello2"; //no array

//compare array vs. array (different values)
var_dump($sessiondata3 == $auto_login_key3); // bool(false)
var_dump($sessiondata3 === $auto_login_key3); // bool(false)

echo "<br />";

//compare array vs. array (different values)
var_dump($sessiondata3['autologinid'] == $auto_login_key3); // bool(false)
var_dump($sessiondata3['autologinid'] === $auto_login_key3); // bool(false)

echo "<br />";

//compare array vs. array (different values) explicit array names
var_dump($sessiondata3['autologinid'] == $auto_login_key3['whatever']); // bool(false)
var_dump($sessiondata3['autologinid'] === $auto_login_key3['whatever']); // bool(false)

echo "<br />";

//compare array vs. no array (different values)
var_dump($sessiondata3 == $auto_login_key4); // bool(false)
var_dump($sessiondata3 === $auto_login_key4); // bool(false)

echo "<br />";

//compare array vs. no array (different values) explicit array name
var_dump($sessiondata3['autologinid'] == $auto_login_key4); // bool(false)
var_dump($sessiondata3['autologinid'] === $auto_login_key4); // bool(false)

?>
there's no difference...I always get the same output for each pair...the reason why I'm asking is because I've never used === so far and I wonder if I should change my code when comparing an array to another array...

thanks

Edit: === was introduced in PHP4...I though phpBB 2.x was PHP3 combatible?
Last edited by sanjo on Mon Feb 28, 2005 2:05 am, edited 2 times in total.
User avatar
SnowManrcd
Registered User
Posts: 155
Joined: Tue Oct 21, 2003 6:05 pm

Post by SnowManrcd »

just out of curiosity what does === mean?

I know = and == but what is ===
-SnowMan
TheKog
Registered User
Posts: 75
Joined: Thu Nov 18, 2004 7:58 pm

Post by TheKog »

No kidding I can't find anything anywhere on the '===' operator.

I'd love to know what this is for.
The_Master
Registered User
Posts: 118
Joined: Fri Dec 28, 2001 2:21 am
Location: Germany

Post by The_Master »

TheKog wrote: No kidding I can't find anything anywhere on the '===' operator.

I'd love to know what this is for.


RTFM: http://www.php.net/manual/en/language.o ... arison.php
User avatar
SnowManrcd
Registered User
Posts: 155
Joined: Tue Oct 21, 2003 6:05 pm

Post by SnowManrcd »

ahh, ok now I see
-SnowMan
TheKog
Registered User
Posts: 75
Joined: Thu Nov 18, 2004 7:58 pm

Post by TheKog »

Thank you master, I googled the manual and musta missed it. :oops:
sanjo
Registered User
Posts: 67
Joined: Fri Oct 29, 2004 4:39 am

Post by sanjo »

it says that === has been introduced in PHP4...I though phpBB 2x was supposed to run under PHP3 ?
The_Master
Registered User
Posts: 118
Joined: Fri Dec 28, 2001 2:21 am
Location: Germany

Post by The_Master »

sanjo wrote: it says that === has been introduced in PHP4...I though phpBB 2x was supposed to run under PHP3 ?


What do you want? A secure board or support for an ancient PHP version?
I'm for the secure board. ;)
sanjo
Registered User
Posts: 67
Joined: Fri Oct 29, 2004 4:39 am

Post by sanjo »

The_Master wrote:
sanjo wrote:it says that === has been introduced in PHP4...I though phpBB 2x was supposed to run under PHP3 ?


What do you want? A secure board or support for an ancient PHP version?
I'm for the secure board. ;)

LOL read one of my other posts were I suggested to make PHP 4.3.0 as a minimum requirement for phpBB 3x...

Anyway, I'm unable to see any issue with that under PHP4...and since the === doesn't work under PHP3 I wonder what all this fuss is about...
User avatar
RudderStick
Registered User
Posts: 42
Joined: Thu Dec 30, 2004 8:44 pm

Post by RudderStick »

Ive been running 2.x under PHP 4.3 for some time now - had absolutely no problems with it.... am I missing something crucial here?
David Palmer
Registered User
Posts: 319
Joined: Tue Nov 23, 2004 5:25 pm

Post by David Palmer »

RS,

I don't think you're missing anything. If you're running phpBB 2.0.13 you're good to go, and it runs fine under PHP 4.3.x (4.3.10 is the latest).

David
The more details you can provide about your problem, the better people can help you!
phpBB Rules :: Support Request Template
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Question regarding phpBB 2.0.13 - Critical Update

Post by Techie-Micheal »

sanjo wrote: hi there,

Is it possible that the phpBB 2.0.13 'security whole' doesn't work on every system? I've tried it on PHP5, PHP4 and PHP4 (register_globals = on) using the following script...maybe it's a PHP3 issue only? You guys should have said that in the announcement and not make everyone panic ;)
There is reason to be concerned (panic leads to problems, whereas concern leads to fixes). This works. I was able to take control of a couple of boards (I had permission for one of them, and the other two were mine anyway) with this. I won't release the details for hopefully obvious reasons, but make no mistake, it does work. Additionally, as per the changelog in the package, the minimum requirement is now 4.0.3.
Proven Offensive Security Expertise. OSCP - GXPN
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

Whether or not the REGEXP hole reveals anything depends upon your server setup. It doesn't work on my servers, but my servers don't display PHP errors, in general... they just log them. I tried their sample code and got nothing but a page display.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer
Locked

Return to “2.0.x Support Forum”

cron