2.0.16 hacked via worm PLEASE READ

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
arod-1
Registered User
Posts: 1327
Joined: Mon Sep 20, 2004 1:33 pm

Post by arod-1 » Wed Jul 20, 2005 5:35 pm

Graham wrote: I would like to remind people here that if they believe they have found an exploit in phpBB code (or a potential one), they should post it - with all the details - to the Security tracker and not on the forum
graham, i can understand the resistence to posts that includes details about exploits.
but could you please explain why a link to such an explanation elsewhere is frowned upon? if a security issue/exploit/script was posted and discussed elsewhere, its not like a link to such page would increase the exposure. otoh, we may learn something, and maybe even implement precautions.
of course, anyone who knows of a problem should post it on the security tracker, i agree, but why fight links to things which are already published elsewhere?
thanks.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Wed Jul 20, 2005 5:41 pm

arod-1 wrote:
Graham wrote:I would like to remind people here that if they believe they have found an exploit in phpBB code (or a potential one), they should post it - with all the details - to the Security tracker and not on the forum
graham, i can understand the resistence to posts that includes details about exploits.
but could you please explain why a link to such an explanation elsewhere is frowned upon? if a security issue/exploit/script was posted and discussed elsewhere, its not like a link to such page would increase the exposure. otoh, we may learn something, and maybe even implement precautions.
of course, anyone who knows of a problem should post it on the security tracker, i agree, but why fight links to things which are already published elsewhere?
thanks.
One less link here means we are not the purveyor of bad things™. You have no idea of the accusations and threats we get, we certainly don't need any more. Besides, if we don't allow the link here, that's less possible exposure, and less likelihood that something will happen, and we won't be responsible for allowing it to happen.
Proven Offensive Security Expertise. OSCP - GXPN

linuxoverwindows
Registered User
Posts: 82
Joined: Sun Feb 01, 2004 2:50 am
Location: Las Cruces, NM.
Contact:

i havent noticed...

Post by linuxoverwindows » Wed Jul 20, 2005 6:32 pm

well, anyone running a server should be running as an unpriveledged user with rare permissions (or basically ones it needs to function) so arbitrary code shouldnt be an issue.

but...

what im curious about is, where is the highlighting? i havent noticed anything being highlit when i use my boards. maybe im reading highlight in a wierd way and it has to do with something im not thinking of. someone mentioned some people desparately need the highlighting... what would it be needed for? if i comment out the line mentioned above is it perfectly fine? ill go try it out, but i havent noticed any pwnage using phpBB only once using openwebmail. (i know cause i found an email address and i asked him).

anyway, keep up the good work. maybe when i get better with php i can look for issues and help to build a stronger system with ya.
-rw-r--r-- 1 root root 69 Mar 12 00:00 core
http://www.yougetalife.com
mushroom mushroom

Locked

Return to “2.0.x Support Forum”