Secunia phpBB advisories. Should I worry?

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
atnbueno
Registered User
Posts: 39
Joined: Sun Aug 03, 2003 5:26 pm
Location: Spain
Contact:

Secunia phpBB advisories. Should I worry?

Post by atnbueno » Sun Oct 30, 2005 8:54 am

Hello, all.

A few days ago I found this:
phpBB Avatar Script Insertion Vulnerability
http://secunia.com/advisories/17295/

As I use only uploaded avatars in my forum, should I worry about this? I've even tried to test the proof of concept but I haven't been able to make it "work" consistently, so I don't know how to avoid the problem (I'm not even sure of how much a problem it is).


Regards,
Antonio B.
mundoplus.tv - Televisión por Satélite en España

User avatar
lurttinen
Translator
Posts: 4670
Joined: Tue Sep 21, 2004 12:05 pm
Location: Tampere, Finland
Name: Martti Lokka
Contact:

Post by lurttinen » Sun Oct 30, 2005 9:13 am

Yes, 2.0.18 is coming to rescue.
Signature is here

Graham
Former Team Member
Posts: 8462
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK
Contact:

Post by Graham » Sun Oct 30, 2005 12:48 pm

There's no particular reason to worry about it - the report is rather an exaggeration of what is possible - this is only an issue if you are able to convince an IE user to directly visit an uploaded image, it is not possible to include it in a post for example.

There will be a fix in the next release to tighten up on the checking we do on images even more.

If you are particularly concerned, you can disable avatar uploads (they are off by default anyway), but the risk is fairly minor from this (and is potentially applicable to any software that allows image uploads not just phpBB)
"So Long, and Thanks for All the Fish"

phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!

atnbueno
Registered User
Posts: 39
Joined: Sun Aug 03, 2003 5:26 pm
Location: Spain
Contact:

Post by atnbueno » Sun Oct 30, 2005 9:11 pm

Hi again.

Thanks for your answers. That was what I wasn't able to make work: the injection when the image was called from a page. I thought it was me doing something wrong :P

About the avatars, I only allow uploaded ones, so instead of disabling them (the already uploaded wouldn't show) I just chmodded to 755 the directory.

Updating to 2.0.18...


Regards,
Antonio B.
mundoplus.tv - Televisión por Satélite en España

Locked

Return to “2.0.x Support Forum”