Do we all need to disable our boards if our hosts don't have PHP 4.3.10 ??
Possibly, yes. Please note that the particular vulnerability being exploited in this attack is, technically, a PHP issue - an interreaction between two functions that do not work quite as the PHPBB developers envisioned them. The code that fails makes sense... it just doesn't work.
However, the unserialize() issue should not be the problem that it is, except that PHPBB is applying it to data not under program control, i.e., you don't know where it's been. And, in my opinion, that's bad design. All of the variables being serialized into the cookie being unserialized should be stored in session variables on the server
, and never given into the control of an external person. The cookie should just be the key to reference it.
Any time you put data into the hands of a user, you must assume that someone is going to mangle it in ways you can't imagine. One of the projects I was brought in on embedded SQL statements directly into the web page, and executed what it got back without so much as a mysql_escape_string() call, because they wanted to "remember" the string from request to request. It now uses keeps all that SQL in a session variable, and the user's input to the form can manipulate what data gets put in, but none of the control. I.e., their POST says "Sort=Reverse", and we add in "desc" on the SQL, but if they try adding any SQL to the string, it's ignored.
Granted, this isn't quite
as bad as EZBoard's use of a GET variable as the URL for including code in a script without checking it...
We'll be updating our boards to 2.0.11, but there is some serious patching work that needs to be done to avoid the NEXT vulnerability.