Exploit Vulnerablity Found in 2.0.18: you MUST disable HTML!

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Keith W
Registered User
Posts: 1025
Joined: Mon Dec 13, 2004 6:14 pm

Post by Keith W »

justbrowsing wrote: my monitor colors are messed up. phpbb shows up with funny colors. support team - please fix this!!! it is a flaw in your program not to accomodate my monitor...


Now that is a really intelligent comment, not!

Getting back to the topic in hand...

The guy does have a point though, many of the vulnerabilities are of a similar nature so why not work on a PHPBB that has been tried and tested every which way to try a stop such vulnerabilities.

It seems that all that happens is that a flaw is discovered and you plug it and nothing else and so the scenario goes on and on.

Don't get me wrong I love PHPBB and appreciate the work you guys put into it but I still feel more could be done to make PHPBB more secure.

Take care, Keith
mtx
Registered User
Posts: 494
Joined: Fri Dec 17, 2004 5:42 pm

Post by mtx »

1: There are more holes in IE because more people are looking for them. Noone is out there trying to hack firefox because there are not enough people using it. when there is there will be just as many holes.

2: http://www.eweek.com/article2/0,1895,1894708,00.asp

3: If you serach there are as many holes in other OS but noone talks about it as much.
User avatar
jwunderly
Registered User
Posts: 5740
Joined: Sun Mar 30, 2003 2:18 pm
Location: Easton, PA (in the groove)

Post by jwunderly »

Keith W wrote: The guy does have a point though, many of the vulnerabilities are of a similar nature so why not work on a PHPBB that has been tried and tested every which way to try a stop such vulnerabilities.


If it is a problem in one browser and not another, then the flaw is not in phpBB.
Don't get me wrong I love PHPBB and appreciate the work you guys put into it but I still feel more could be done to make PHPBB more secure.


You're welcome to write as many "security" mods as you can to alleviate the "problems" for the IE users.
John (A cranky old man. "Looking for an echo ...")
using any control-panel install/update is like shooting yourself in the foot. It won't kill you, but you're really going to hobble around until it heals.
Using the wrong tools (Front Page, DreamWeaver) gives the same results
Do not PM me for Support!
SmartSquid399
Registered User
Posts: 98
Joined: Fri Jul 08, 2005 6:13 pm
Contact:

Post by SmartSquid399 »

Hey, clubchill, just because Amazon doesn't get hacked by Internet Explorer every day doesn't mean it's not possible. For all we know, there could be a vulnerability in IE that would allow someone to hack big sites like Paypal. But that's not the point.

phpBB is a totally different system. With Amazon, there is really nothing that needs validation besides a credit card number...now tell me how an invalid credit card number can hack a server. :P However, to make phpBB completely safe, you would need to run checks on every single link and every single image. Try writing a code to do that and still load pages as fast as phpBB currently does...good luck, you'll need it. ;)

So you might ask, "why don't IPB and vB have this issue?" My answer is simple: they don't work the same as phpBB. Does IPB have the option to allow HTML? No! (...well technically they do, but they have a different way of doing it...)

See, the better a website/forum/whatever gets, the more security problems arise. phpBB (in my opinion) is at the top of the list, and because it's such a good forum, which lots of good features, people try to abuse that. Big forums/websites have so many things to check for, that it's impossible to cover every single threat.


That ends my speech. :D

-- SmartSquid399
Notepad2 || FireFox

I'm here to help with: PHP, phpBB (obviously), Server Set-up, HTML, CSS, and JavaScript.
DashSpeed
Registered User
Posts: 13
Joined: Tue Jul 06, 2004 2:11 am
Location: Montreal, Canada
Contact:

Post by DashSpeed »

I guess anyone that uses Internet Explorer AND a word-based password deserves to get his account stolen :lol:
DTG: Online 8-bit old school MMORPG! entirely based on phpbb 8)
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29285
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Post by Marshalrusty »

Another one of these topics? Oh god.
Coding is the same as writing a book. You write it, you have 1000 people read it and fix the mistakes they find. 10 years later there is a site with a list of the mistakes you missed. Not everything can be thought of. Hackers only need to find a single problem with the code and exploit it. No code is perfect.

I've said it before, and I'll say it again: you should all be happy that the teams take care of holes as quickly as they do!
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
User avatar
Dzien Dobry
Registered User
Posts: 614
Joined: Thu Nov 08, 2001 3:55 pm

Re: Exploit Vulnerablity Found in 2.0.18: you MUST disable H

Post by Dzien Dobry »

clubchill wrote: The exploit can be defended if phpBB's "Allow HTML" and register_globals settings are both disabled

Thanks for the tip. How do I disable the register_globals settings?
User avatar
Lumpy Burgertushie
Registered User
Posts: 67997
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie »

don't pay any attention to this. if you are updated to the current version, then this exploit has been taken care of and you don't need to worry about it.

robertr
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If nobody is in the forest, does a tree really fall?
Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Post by Wo1f »

clubchill wrote: Do you suppose these companies like banks, and investment firms that run web-apps for their clients will allow a bad .jpg or a bad .txt or a bad .mp3 or .swf to be served to the browser and compromise their data.

If it wasn't so, I'd agree with you. But the evidence of secure webapplication development on the internet is too vast for your argument to hold true..

Lol.. and need I mention some other BulletinBoard systems that use PHP and mySQL too, but don't have these vulnerability issues?

haha.. you dont want me to go there do you..


Seriously? A major component of your argument is based on this premise? I don't need any further arguments to feel confident that I'm not the one on shaky grounds.

Regards,
Wolf
AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm
Contact:

Post by AnthraX101 »

Lumpy Burgertushie wrote: don't pay any attention to this. if you are updated to the current version, then this exploit has been taken care of and you don't need to worry about it.

robertr


HTML is inherently insecure, and should never be enabled.

AnthraX101
glyphon
Registered User
Posts: 9
Joined: Tue Nov 15, 2005 3:44 am

Post by glyphon »

SmartSquid399 wrote: So you might ask, "why don't IPB and vB have this issue?"


point of note, vB forums do get hacked. no forum application out there is 100% secure.
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Support & Arguments

Post by Pony99CA »

IndieDesigns wrote:
clubchill wrote:lol.. I guess I won this debate, huh?

No counterpoints? hehehe

Want a counterpoint? this is a Support Forum so why not either post something you need support for (like the logout sid issue) or go help someone. All you're doing is taking time away from people who need support by trying to get all the regulars here on defense. This thread would belong more in phpbb discussion, not support. :roll:

Maybe he can't ask for support -- the Web site he links to either doesn't use phpBB or uses it and doesn't display the phpBB copyright. :roll:

As for "winning", just because people assume someone is a troll doesn't mean they've won anything. :twisted:

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Amazon

Post by Pony99CA »

SmartSquid399 wrote: Hey, clubchill, just because Amazon doesn't get hacked by Internet Explorer every day doesn't mean it's not possible. For all we know, there could be a vulnerability in IE that would allow someone to hack big sites like Paypal. But that's not the point.

Now that Amazon allows submission of user-created images, there might be more of a chance. Does Amazon validate them before putting them on the Web? If so and they use Windows, doesn't that make the Amazon validator vulnerable to the WMF bug?

PayPal and banking sites don't allow users to link to other sites or post images, so clubchill's arguments are irrelevant there. phpBB is a forum allowing users to collaborate. The Web was founded with collaboration and linking in mind. Sure, you can make phpBB a text-only board (like Amazon reviews), but that would be like Usenet newsgroups with user validation, wouldn't it? How many people would want that?

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29285
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Post by Marshalrusty »

AnthraX101 wrote: HTML is inherently insecure, and should never be enabled.

I must agree with this. Any HTML function that you may need to use on a forum can be done with BBcode, or a BBcode MOD. Enabling HTML will always hold a certain risk.

As for the Paypal and Amazon comments, don't forget that the source code is not available. So finding a hole is a bit harder.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
phonereviews
Registered User
Posts: 99
Joined: Sat Oct 22, 2005 4:51 pm
Contact:

Post by phonereviews »

Is it ok to use the BBCode mod to enable html only for admins???
HTML BBCode Mod
Locked

Return to “2.0.x Support Forum”