phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

The Final phpBB 2 Security Vulnerability
1 members found this topic helpful
Goto page Previous  1, 2, 3 ... , 12, 13, 14  Next
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
JLA
Board Member



Joined: 30 Apr 2009

Posts: 451
Location: U.S.A


flag
PostPosted: Thu Jan 05, 2012 7:08 pm 
Post subject: Re: The Final phpBB 2 Security Error

Found something today and haven't went back into your code to see if it was something we missed when making the changes or something missing for the update.

Found when splitting a post FROM a topic, was getting an invalid session error

Found this in mod cp

Code:

else
      {
         //
         // Set template files
         //
         $template->set_filenames(array(
            'split_body' => 'modcp_split.tpl')
         );

         $sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
            FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
            WHERE p.topic_id = $topic_id
               AND p.poster_id = u.user_id
               AND p.post_id = pt.post_id
            ORDER BY p.post_time ASC";
         if ( !($result = $db->sql_query($sql)) )
         {
            message_die(GENERAL_ERROR, 'Could not get topic/post information', '', __LINE__, __FILE__, $sql);
         }

          $s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';
         



Shouldn't it be this???

Code:

else
      {
         //
         // Set template files
         //
         $template->set_filenames(array(
            'split_body' => 'modcp_split.tpl')
         );

         $sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
            FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
            WHERE p.topic_id = $topic_id
               AND p.poster_id = u.user_id
               AND p.post_id = pt.post_id
            ORDER BY p.post_time ASC";
         if ( !($result = $db->sql_query($sql)) )
         {
            message_die(GENERAL_ERROR, 'Could not get topic/post information', '', __LINE__, __FILE__, $sql);
         }

          //$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';
         


$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="p_sid" value="' . $userdata['priv_session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';



_________________
http://www.jlaforums.com
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 729
Location: Texas


flag
PostPosted: Tue Jan 10, 2012 1:57 pm 
Post subject: Re: The Final phpBB 2 Security Error

This is to add the additional form check, right? Seems correct to me.

I've not gone back and reread this entire topic though.

_________________
phpBBDoctor Blog
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 451
Location: U.S.A


flag
PostPosted: Tue Jan 10, 2012 2:42 pm 
Post subject: Re: The Final phpBB 2 Security Error

drathbun wrote:
This is to add the additional form check, right? Seems correct to me.

I've not gone back and reread this entire topic though.


Yes, I believe so. Changes were made in many of the checks to account for the psid but I think it might have been missed on this one part.


Again, not sure if we missed it in the update (haven't went back and read all the changes) or it was missed in the update itself.

DogCow probably will be able to comment either way.

_________________
http://www.jlaforums.com
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Tue Jan 10, 2012 4:48 pm 
Post subject: Re: The Final phpBB 2 Security Error

Yeah, that should be right.
_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield ILMac 512K BlogMac GUI
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 451
Location: U.S.A


flag
PostPosted: Tue Jan 10, 2012 9:09 pm 
Post subject: Re: The Final phpBB 2 Security Error

Dog Cow wrote:
Yeah, that should be right.


Was this missing from your update code or did we miss it?

_________________
http://www.jlaforums.com
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Wed Jan 18, 2012 8:04 pm 
Post subject: Re: The Final phpBB 2 Security Error

JLA wrote:
Dog Cow wrote:
Yeah, that should be right.


Was this missing from your update code or did we miss it?

It wasn't included in the code update.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield ILMac 512K BlogMac GUI
Back to top
dondino
Board Member



Joined: 09 Dec 2008

Posts: 144


flag
PostPosted: Thu Jan 19, 2012 6:09 am 
Post subject: Re: The Final phpBB 2 Security Error

so we should all update our boards with that code-change in modcp?
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Thu Jan 19, 2012 6:18 pm 
Post subject: Re: The Final phpBB 2 Security Error

dondino wrote:
so we should all update our boards with that code-change in modcp?

That's the decision for the administrator of the forum.

I've never heard of anyone actively exploiting the vulnerability, though it is listed in the U.S. Government's Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7143

Vulnerability Summary for CVE-2008-7143 wrote:

Overview
phpBB 2.0.23 includes the session ID in a request to modcp.php when the moderator or administrator closes a thread, which allows remote attackers to hijack the session via a post in the thread containing a URL to a remotely hosted image, which might include the session ID in the Referer header.


I think that at this point, knowledge of the vulnerability is obscure. But then again, I don't hang around in circles which would know.


Do you trust your users?

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield ILMac 512K BlogMac GUI
Back to top
dondino
Board Member



Joined: 09 Dec 2008

Posts: 144


flag
PostPosted: Sun Jan 22, 2012 1:39 pm 
Post subject: Re: The Final phpBB 2 Security Vulnerability

I do trust them...
but doing that code-change is like 2 minutes time, and at least a new prevention for the future.

Now that we talk about it here, someone who notice this might have the bad idea to test the exploit... you never know icon_smile.gif
there are still many 2.0.23/24 around...
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 451
Location: U.S.A


flag
PostPosted: Wed Feb 01, 2012 3:59 pm 
Post subject: Re: The Final phpBB 2 Security Vulnerability

Any improvement in the code - especially that which enhances security should always been made - no exceptions!
_________________
http://www.jlaforums.com
Back to top
dondino
Board Member



Joined: 09 Dec 2008

Posts: 144


flag
PostPosted: Tue Feb 07, 2012 4:32 am 
Post subject: Re: The Final phpBB 2 Security Vulnerability

Hello everyone...
Dog Cow, I have noticed a problem in my board with
2.0.23 ---> 2.0.24 codechanges
about the file sessions.php

I have tried to explain it HERE

Can you or someone else try to explain me what could be the problem and how come my board doesn't like the codechange in that file? Thanks!
Back to top
josiec09
Board Member



Joined: 24 Jun 2012

Posts: 2



PostPosted: Sun Jun 24, 2012 3:33 am 
Post subject: Re: phpBB-2.0.24-codechanges.zip

Dog Cow wrote:
Last night I made my own diff, converted to MOD template, installed, and tested. It is also easyMOD compatible.

I'm sure you all will only be too happy to point out if I've made any errors. icon_mrgreen.gif

phpBB-2.0.24-codechanges.zip


Here is a mirror to the file. Just in case it gets deleted or something.
http://josephosiecki.co.cc/phpBB-2.0.24-codechanges.zip


Also does any one know of a fix for after you sign and as an admin then click Go to Administration Panel you re-login it should redirect you to the admin area but its not just redirects back to the forums
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 628
Location: Spain


flag
PostPosted: Sun Jun 24, 2012 5:25 am 
Post subject: Re: The Final phpBB 2 Security Vulnerability

The standard behaviour of phpBB2 is that after you logged in as an Admin and click Go to Administration Panel you need to enter your username and password again, in a login form.

Is that what happens on your board?

_________________
phpBB2 will never die, I hope!
Back to top
josiec09
Board Member



Joined: 24 Jun 2012

Posts: 2



PostPosted: Mon Jun 25, 2012 11:25 pm 
Post subject: Re: The Final phpBB 2 Security Vulnerability

dogs and things wrote:
The standard behaviour of phpBB2 is that after you logged in as an Admin and click Go to Administration Panel you need to enter your username and password again, in a login form.

Is that what happens on your board?


Yes but after i re-enter my username and password instead of bring me to the admin area i just get brought back to the forums. Then I have to click the Go to Administration Panel a 3rd time to go to the admin area.
Back to top
lumpy burgertushie
Board Member



Joined: 18 Nov 2008

Posts: 266


flag
PostPosted: Mon Jun 25, 2012 11:34 pm 
Post subject: Re: The Final phpBB 2 Security Vulnerability

josiec09 wrote:
dogs and things wrote:
The standard behaviour of phpBB2 is that after you logged in as an Admin and click Go to Administration Panel you need to enter your username and password again, in a login form.

Is that what happens on your board?


Yes but after i re-enter my username and password instead of bring me to the admin area i just get brought back to the forums. Then I have to click the Go to Administration Panel a 3rd time to go to the admin area.


what are your cookie settings?

robert
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 13 of 14 All times are GMT - 4 Hours
Goto page Previous  1, 2, 3 ... , 12, 13, 14  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0655 seconds using 16 queries. (SQL 0.0211 Parse 0.0011 Other 0.0433)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo