phpBB Group announces the release of phpBB 2.0.13, the "Beware of the furries" edition. This release addresses two recent security exploits, one of them critical. They were reported a few days after .12 was released and no one is more annoyed than us, having to release a new version in such a short period of time.
Fortunately both fixes are easy and in each case just one line needs to be edited.
The first issue is critical (session handling allowing everyone gaining administrator rights) and we urge you to fix it on your forums as soon as possible:
Open includes/sessions.php
Find:
Code: Select all
if( $sessiondata['autologinid'] == $auto_login_key )
Code: Select all
if( $sessiondata['autologinid'] === $auto_login_key )
A second minor issue reported to bugtraq several days ago was the path disclosure bug in viewtopic.php which got fixed by applying the following steps:
Open viewtopic.php
Find:
Code: Select all
$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
Code: Select all
$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));