phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

The Final phpBB 2 Security Vulnerability
1 members found this topic helpful
Goto page Previous  1, 2, 3 ... 8, 9, 10 ... 12, 13, 14  Next
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Mon Mar 23, 2009 12:21 am 
Post subject: Re: The Final phpBB 2 Security Error

Perhaps what we should do is make a list of mods that it is effecting and find solutions to the errors it creates and list the fixes as we go?

Perhaps in the first post in this thread so people don't have to read a hundred pages to find what they are looking for. What do you think?

About the ModCP does that include any tpl files?

Or just the modcp.php?

_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Mar 23, 2009 1:39 am 
Post subject: Re: The Final phpBB 2 Security Error

~Cowboy~ wrote:
Perhaps what we should do is make a list of mods that it is effecting and find solutions to the errors it creates and list the fixes as we go?

Perhaps in the first post in this thread so people don't have to read a hundred pages to find what they are looking for. What do you think?

Someone should probably make a new phpBB 2.0.24 topic. This one is mostly too big, I think, but it is still a good place for discussion as we are all testing it out.

Quote:

About the ModCP does that include any tpl files?

Or just the modcp.php?

Probably not the template files. modcp.php is more likely, since use of the SID changed in phpBB 2.0.24

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL Mac 512K Blog Mac GUI
Back to top
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Mon Mar 23, 2009 1:42 am 
Post subject: Re: The Final phpBB 2 Security Error

Ok then I should be safe with Subforums Plus then do you think? It does some modding of these files:

templates/subSilver/modcp_body.tpl
templates/subSilver/modcp_split.tpl

Also once its installed will it be difficult to install mods that deal with the modcp.php or is the effect of this only on the install of the security patch?

In other words if I install this mod first will it be less likely to foul up a mod install?

_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Mar 23, 2009 1:45 am 
Post subject: Re: The Final phpBB 2 Security Error

~Cowboy~ wrote:
Ok then I should be safe with Subforums Plus then do you think? It does some modding of these files:

templates/subSilver/modcp_body.tpl
templates/subSilver/modcp_split.tpl

That's probably to update the navigation bar, I'd imagine. Shouldn't be a problem.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL Mac 512K Blog Mac GUI
Back to top
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Mon Mar 23, 2009 1:51 am 
Post subject: Re: The Final phpBB 2 Security Error

How about the other part of my question? icon_eek.gif
_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Mar 23, 2009 1:43 pm 
Post subject: Re: The Final phpBB 2 Security Error

~Cowboy~ wrote:

Also once its installed will it be difficult to install mods that deal with the modcp.php or is the effect of this only on the install of the security patch?

In other words if I install this mod first will it be less likely to foul up a mod install?

That's a bit hard to say. Not all MODs which affect modcp.php will be affected. For example, there's a MOD to show the topic starter in the ModCP. That wouldn't be affected. But any MOD which POSTs data or GETs data to/from the modcp.php has a good chance of being affected.

In any case, the fixes to any of the potential issues is easy: just implement the private session ID.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL Mac 512K Blog Mac GUI
Back to top
khofech
Board Member



Joined: 27 Feb 2009

Posts: 44



PostPosted: Mon Mar 23, 2009 5:04 pm 
Post subject: Re: The Final phpBB 2 Security Error

if I'm right, the issue is that a lammer can get the admin session id if he/she lock a topic containing an image hosted whereever that lammer had access !!? I already tried that stuff in my own server, right , the admin sid is writen the apache log, but not only when he lock a topic !! the sid is logged in many others cases by the apache server ! , did anybody tried this stuff ?!
Quote:
ok, are all guys ok for a patch for that ? if so, can any body post it a mod or a step by step explaining using attach mod here in the topic ? thnx
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Mar 23, 2009 5:42 pm 
Post subject: Re: The Final phpBB 2 Security Error

khofech wrote:
if I'm right, the issue is that a lamer can get the admin session id if he/she lock a topic containing an image hosted whereever that lamer had access !!? I already tried that stuff in my own server, right , the admin sid is writen the apache log, but not only when he lock a topic !! the sid is logged in many others cases by the apache server !

Yes, it's more than just locking a topic, hence why the solution for the problem is so comprehensive. Another location is admin_users.php, if the user has linked his avatar from his own server.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL Mac 512K Blog Mac GUI
Back to top
khofech
Board Member



Joined: 27 Feb 2009

Posts: 44



PostPosted: Tue Mar 24, 2009 2:48 am 
Post subject: Re: The Final phpBB 2 Security Error

Dog Cow wrote:
khofech wrote:
if I'm right, the issue is that a lamer can get the admin session id if he/she lock a topic containing an image hosted whereever that lamer had access !!? I already tried that stuff in my own server, right , the admin sid is writen the apache log, but not only when he lock a topic !! the sid is logged in many others cases by the apache server !

Yes, it's more than just locking a topic, hence why the solution for the problem is so comprehensive. Another location is admin_users.php, if the user has linked his avatar from his own server.
ok, and the solution ? is there any real solution for that. U know, this is a very serious issue , it can ruin all out refugeesation icon_sad.gif
Back to top
khofech
Board Member



Joined: 27 Feb 2009

Posts: 44



PostPosted: Tue Mar 24, 2009 2:49 am 
Post subject: Re: The Final phpBB 2 Security Error

Dog Cow wrote:
khofech wrote:
if I'm right, the issue is that a lamer can get the admin session id if he/she lock a topic containing an image hosted whereever that lamer had access !!? I already tried that stuff in my own server, right , the admin sid is writen the apache log, but not only when he lock a topic !! the sid is logged in many others cases by the apache server !

Yes, it's more than just locking a topic, hence why the solution for the problem is so comprehensive. Another location is admin_users.php, if the user has linked his avatar from his own server.
ok, and the solution ? is there any real solution for that. U know, this is a very serious issue , it can ruin all out refugeesation icon_sad.gif
Back to top
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Tue Mar 24, 2009 4:13 am 
Post subject: Re: The Final phpBB 2 Security Error

The solution is the security patch. But what we are trying to figure out is the impact it is making on our mods when we install the patch, and how to code around the patch so that all our mods will continue to function.

I believe the patch fixes the issue but causes some issues with certain mods.

_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
khofech
Board Member



Joined: 27 Feb 2009

Posts: 44



PostPosted: Tue Mar 24, 2009 9:42 am 
Post subject: Re: The Final phpBB 2 Security Error

~Cowboy~ wrote:
The solution is the security patch. But what we are trying to figure out is the impact it is making on our mods when we install the patch, and how to code around the patch so that all our mods will continue to function.

I believe the patch fixes the issue but causes some issues with certain mods.

oh, ! And any way out ,in which step we r now about the solution of the issue caused by the solution of the first issue?
Back to top
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Tue Mar 24, 2009 12:02 pm 
Post subject: Re: The Final phpBB 2 Security Error

Yes.
_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Tue Mar 24, 2009 3:43 pm 
Post subject: Re: The Final phpBB 2 Security Error

khofech wrote:
ok, and the solution ? is there any real solution for that. U know, this is a very serious issue , it can ruin all out refugeesation icon_sad.gif


The solution is to update to phpBB 2.0.24 by using these changes: http://dserver.macgui.com/phpBB-2.0.24-codechanges.zip

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL Mac 512K Blog Mac GUI
Back to top
Ornette
Board Member



Joined: 16 Mar 2009

Posts: 37



PostPosted: Tue Mar 24, 2009 3:49 pm 
Post subject: Re: The Final phpBB 2 Security Error

If 2.0.24 will be released as an actual formed phpBB2 distribution,

can I suggest adding a

if (phpver() == "5.2.7") die;

somewhere!!!

(as per http://www.phpbb2refugees.com/viewtopic.php?t=81 )
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 9 of 14 All times are GMT
Goto page Previous  1, 2, 3 ... 8, 9, 10 ... 12, 13, 14  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0284 seconds using 15 queries. (SQL 0.0033 Parse 0.0009 Other 0.0242)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo