New release - security, Zend addressed

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Scam Warning
Post Reply
User avatar
psoTFX
Former Team Member
Posts: 7425
Joined: Tue Jul 03, 2001 8:50 pm

New release - security, Zend addressed

Post by psoTFX » Mon Mar 01, 2004 6:56 pm

A new release of phpBB 2.0.6 is now available for download, phpBB 2.0.6d. This addresses a vulnerability in viewtopic, a potential issue with login and may address current issues with Zend Optimizer 2.5.

The viewtopic vulnerability, again released to bugtraq without us first being notified ... sigh, is of the cross-site scripting type. While relatively minor it can allow information to be obtained without the users direct knowledge. Thus we recommend all admins upgrade their board as soon as possible. The relevant fix is noted below. The login issue is similar in nature and has been addressed to counter potential future problems.

A number of people have encountered problems running phpBB (and other applications) on servers using Zend Optimizer 2.5 (note the number!). While this is not directly a phpBB issue a keen user, jetset, has discovered a number of code additions which should reduce or remove this problem. These fixes are included in the new packages. Because they involve a number of files they are not noted in this topic. Zend do seem to be aware of problems with the optimiser and are planning an updated release in the near future.

Vulnerability fix:

Open viewtopic.php in your favourite text editor. Find the following section of code:

Code: Select all

//
// Decide how to order the post display
//
if ( !empty($HTTP_POST_VARS['postorder']) || !empty($HTTP_GET_VARS['postorder']) )
{
	$post_order = (!empty($HTTP_POST_VARS['postorder'])) ? $HTTP_POST_VARS['postorder'] : $HTTP_GET_VARS['postorder'];
	$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
	$post_order = 'asc';
	$post_time_order = 'ASC';
}
Replace this with:

Code: Select all

//
// Decide how to order the post display
//
if ( !empty($HTTP_POST_VARS['postorder']) || !empty($HTTP_GET_VARS['postorder']) )
{
	$post_order = (!empty($HTTP_POST_VARS['postorder'])) ? htmlspecialchars($HTTP_POST_VARS['postorder']) : htmlspecialchars($HTTP_GET_VARS['postorder']);
	$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
	$post_order = 'asc';
	$post_time_order = 'ASC';
}
Double check your changes!, save the file and upload it over your old viewtopic.php. Please remember we know this change works! If you encounter any errors it is almost certainly something you've done. So recheck your code and ensure it looks as above, do not change any other lines.

Post Reply

Return to “Announcements”