phpBB 2.0.13 released - Critical Update

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Anti-Spam Guide

phpBB 2.0.13 released - Critical Update

Postby dhn » Sun Feb 27, 2005 10:45 pm

Hi everyone,

phpBB Group announces the release of phpBB 2.0.13, the "Beware of the furries" edition. This release addresses two recent security exploits, one of them critical. They were reported a few days after .12 was released and no one is more annoyed than us, having to release a new version in such a short period of time.
Fortunately both fixes are easy and in each case just one line needs to be edited.

The first issue is critical (session handling allowing everyone gaining administrator rights) and we urge you to fix it on your forums as soon as possible:

Open includes/sessions.php

Find:
Code: Select all
if( $sessiondata['autologinid'] == $auto_login_key )

Replace with:
Code: Select all
if( $sessiondata['autologinid'] === $auto_login_key )



A second minor issue reported to bugtraq several days ago was the path disclosure bug in viewtopic.php which got fixed by applying the following steps:

Open viewtopic.php

Find:
Code: Select all
$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

Replace with:
Code: Select all
$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));


As with all new releases we urge you to upgrade as soon as possible. You can of course find this download available on our downloads page. As per usual three packages are available to simplify your upgrade.
User avatar
dhn
Former Team Member
 
Posts: 4999
Joined: Wed Jul 04, 2001 8:10 am
Location: Internet
Name: Dominik Dröscher

Return to Announcements

Who is online

Users browsing this forum: netdeamon123 and 15 guests