New packages available - Security related

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Scam Warning
Post Reply
User avatar
psoTFX
Former Team Member
Posts: 7425
Joined: Tue Jul 03, 2001 8:50 pm

New packages available - Security related

Post by psoTFX » Thu Jan 01, 2004 12:13 am

We have been alerted to two potential vulnerabilities in the existing 2.0.6 package. One is cross-site scripting related while another may allow specific users (group moderators) to exploit an inproper data validation issue. While it is doubtful these have been actively exploited (particularly the group moderator issue) both are serious enough to warrant you updating as soon as possible.

New packages are now available from the download page. For those not wishing (or able due to sheer numbers of mods, etc.) to update via these packages please ensure you make the changes listed below.

Open privmsg.php in your favourite editor. Find the following code fragment:

Code: Select all

if ( isset($HTTP_POST_VARS['folder']) || isset($HTTP_GET_VARS['folder']) )
{
	$folder = ( isset($HTTP_POST_VARS['folder']) ) ? $HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];

	if ( $folder != 'inbox' && $folder != 'outbox' && $folder != 'sentbox' && $folder != 'savebox' )
	{
		$folder = 'inbox';
	}
}
else
{
	$folder = 'inbox';
}
Replace with:

Code: Select all

if ( isset($HTTP_POST_VARS['folder']) || isset($HTTP_GET_VARS['folder']) )
{
	$folder = ( isset($HTTP_POST_VARS['folder']) ) ? $HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
	$folder = htmlspecialchars($folder);

	if ( $folder != 'inbox' && $folder != 'outbox' && $folder != 'sentbox' && $folder != 'savebox' )
	{
		$folder = 'inbox';
	}
}
else
{
	$folder = 'inbox';
}
Find:

Code: Select all

if ( !empty($HTTP_POST_VARS['mode']) || !empty($HTTP_GET_VARS['mode']) )
{
	$mode = ( !empty($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
}
else
{
	$mode = '';
}
Replace with:

Code: Select all

if ( !empty($HTTP_POST_VARS['mode']) || !empty($HTTP_GET_VARS['mode']) )
{
	$mode = ( !empty($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
	$mode = htmlspecialchars($mode);
}
else
{
	$mode = '';
}
Save the changes.

Open groupcp.php and find the following:

Code: Select all

if ( isset($HTTP_POST_VARS['mode']) || isset($HTTP_GET_VARS['mode']) )
{
	$mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
}
else
{
	$mode = '';
}
Replace with:

Code: Select all

if ( isset($HTTP_POST_VARS['mode']) || isset($HTTP_GET_VARS['mode']) )
{
	$mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
	$mode = htmlspecialchars($mode);
}
else
{
	$mode = '';
}
Find:

Code: Select all

				if ( ( ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) && isset($HTTP_POST_VARS['pending_members']) ) || ( isset($HTTP_POST_VARS['remove']) && isset($HTTP_POST_VARS['members']) ) )
				{

					$members = ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) ? $HTTP_POST_VARS['pending_members'] : $HTTP_POST_VARS['members'];

					$sql_in = '';
					for($i = 0; $i < count($members); $i++)
					{
						$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];
					}
Replace with:

Code: Select all

				if ( ( ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) && isset($HTTP_POST_VARS['pending_members']) ) || ( isset($HTTP_POST_VARS['remove']) && isset($HTTP_POST_VARS['members']) ) )
				{

					$members = ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) ? $HTTP_POST_VARS['pending_members'] : $HTTP_POST_VARS['members'];

					$sql_in = '';
					for($i = 0; $i < count($members); $i++)
					{
						$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . intval($members[$i]);
					}
Save the changes and upload both files, replacing the existing versions.

Please note that we continue to receive reports of the search_id issue. This is known and has been fixed in 2.0.6 for many many weeks. Unless you downloaded the package/s for a short period after it was first made available you are not vulnerable. If you are unsure please review the following topic [ http://www.phpbb.com/phpBB/viewtopic.php?t=153818 ]

Remember always check this forum (and the downloads page) when you come across a "new" vulnerability or other issue. Please ensure you update accordingly. In doing so you are protecting yourself from all known issues and saving us time in fielding questions we've already answered :)

Post Reply

Return to “Announcements”