Author |
Message |
JLA Board Member
Joined: 30 Apr 2009
Posts: 451 Location: U.S.A
|
Posted: Thu Jan 05, 2012 7:08 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
Found something today and haven't went back into your code to see if it was something we missed when making the changes or something missing for the update.
Found when splitting a post FROM a topic, was getting an invalid session error
Found this in mod cp
Code: |
else
{
//
// Set template files
//
$template->set_filenames(array(
'split_body' => 'modcp_split.tpl')
);
$sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
WHERE p.topic_id = $topic_id
AND p.poster_id = u.user_id
AND p.post_id = pt.post_id
ORDER BY p.post_time ASC";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Could not get topic/post information', '', __LINE__, __FILE__, $sql);
}
$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';
|
Shouldn't it be this???
Code: |
else
{
//
// Set template files
//
$template->set_filenames(array(
'split_body' => 'modcp_split.tpl')
);
$sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
WHERE p.topic_id = $topic_id
AND p.poster_id = u.user_id
AND p.post_id = pt.post_id
ORDER BY p.post_time ASC";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Could not get topic/post information', '', __LINE__, __FILE__, $sql);
}
//$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';
$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="p_sid" value="' . $userdata['priv_session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';
|
_________________ http://www.jlaforums.com |
|
Back to top |
|
|
drathbun Board Member
Joined: 24 Jul 2008
Posts: 729 Location: Texas
|
Posted: Tue Jan 10, 2012 1:57 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
This is to add the additional form check, right? Seems correct to me.
I've not gone back and reread this entire topic though. _________________ phpBBDoctor Blog |
|
Back to top |
|
|
JLA Board Member
Joined: 30 Apr 2009
Posts: 451 Location: U.S.A
|
Posted: Tue Jan 10, 2012 2:42 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
drathbun wrote: | This is to add the additional form check, right? Seems correct to me.
I've not gone back and reread this entire topic though. |
Yes, I believe so. Changes were made in many of the checks to account for the psid but I think it might have been missed on this one part.
Again, not sure if we missed it in the update (haven't went back and read all the changes) or it was missed in the update itself.
DogCow probably will be able to comment either way. _________________ http://www.jlaforums.com |
|
Back to top |
|
|
Dog Cow Board Member
Joined: 18 Nov 2008
Posts: 378
|
|
Back to top |
|
|
JLA Board Member
Joined: 30 Apr 2009
Posts: 451 Location: U.S.A
|
Posted: Tue Jan 10, 2012 9:09 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
Dog Cow wrote: | Yeah, that should be right. |
Was this missing from your update code or did we miss it? _________________ http://www.jlaforums.com |
|
Back to top |
|
|
Dog Cow Board Member
Joined: 18 Nov 2008
Posts: 378
|
|
Back to top |
|
|
dondino Board Member
Joined: 09 Dec 2008
Posts: 144
|
Posted: Thu Jan 19, 2012 6:09 am Post subject: Re: The Final phpBB 2 Security Error |
|
|
so we should all update our boards with that code-change in modcp? |
|
Back to top |
|
|
Dog Cow Board Member
Joined: 18 Nov 2008
Posts: 378
|
Posted: Thu Jan 19, 2012 6:18 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
dondino wrote: | so we should all update our boards with that code-change in modcp? |
That's the decision for the administrator of the forum.
I've never heard of anyone actively exploiting the vulnerability, though it is listed in the U.S. Government's Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7143
Vulnerability Summary for CVE-2008-7143 wrote: |
Overview
phpBB 2.0.23 includes the session ID in a request to modcp.php when the moderator or administrator closes a thread, which allows remote attackers to hijack the session via a post in the thread containing a URL to a remotely hosted image, which might include the session ID in the Referer header.
|
I think that at this point, knowledge of the vulnerability is obscure. But then again, I don't hang around in circles which would know.
Do you trust your users? _________________ Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI |
|
Back to top |
|
|
dondino Board Member
Joined: 09 Dec 2008
Posts: 144
|
Posted: Sun Jan 22, 2012 1:39 pm Post subject: Re: The Final phpBB 2 Security Vulnerability |
|
|
I do trust them...
but doing that code-change is like 2 minutes time, and at least a new prevention for the future.
Now that we talk about it here, someone who notice this might have the bad idea to test the exploit... you never know
there are still many 2.0.23/24 around... |
|
Back to top |
|
|
JLA Board Member
Joined: 30 Apr 2009
Posts: 451 Location: U.S.A
|
Posted: Wed Feb 01, 2012 3:59 pm Post subject: Re: The Final phpBB 2 Security Vulnerability |
|
|
Any improvement in the code - especially that which enhances security should always been made - no exceptions! _________________ http://www.jlaforums.com |
|
Back to top |
|
|
dondino Board Member
Joined: 09 Dec 2008
Posts: 144
|
Posted: Tue Feb 07, 2012 4:32 am Post subject: Re: The Final phpBB 2 Security Vulnerability |
|
|
Hello everyone...
Dog Cow, I have noticed a problem in my board with
2.0.23 ---> 2.0.24 codechanges
about the file sessions.php
I have tried to explain it HERE
Can you or someone else try to explain me what could be the problem and how come my board doesn't like the codechange in that file? Thanks! |
|
Back to top |
|
|
josiec09 Board Member
Joined: 24 Jun 2012
Posts: 2
|
Posted: Sun Jun 24, 2012 3:33 am Post subject: Re: phpBB-2.0.24-codechanges.zip |
|
|
Dog Cow wrote: | Last night I made my own diff, converted to MOD template, installed, and tested. It is also easyMOD compatible.
I'm sure you all will only be too happy to point out if I've made any errors.
phpBB-2.0.24-codechanges.zip |
Here is a mirror to the file. Just in case it gets deleted or something.
http://josephosiecki.co.cc/phpBB-2.0.24-codechanges.zip
Also does any one know of a fix for after you sign and as an admin then click Go to Administration Panel you re-login it should redirect you to the admin area but its not just redirects back to the forums |
|
Back to top |
|
|
dogs and things Board Member
Joined: 18 Nov 2008
Posts: 628 Location: Spain
|
Posted: Sun Jun 24, 2012 5:25 am Post subject: Re: The Final phpBB 2 Security Vulnerability |
|
|
The standard behaviour of phpBB2 is that after you logged in as an Admin and click Go to Administration Panel you need to enter your username and password again, in a login form.
Is that what happens on your board? _________________ phpBB2 will never die, I hope! |
|
Back to top |
|
|
josiec09 Board Member
Joined: 24 Jun 2012
Posts: 2
|
Posted: Mon Jun 25, 2012 11:25 pm Post subject: Re: The Final phpBB 2 Security Vulnerability |
|
|
dogs and things wrote: | The standard behaviour of phpBB2 is that after you logged in as an Admin and click Go to Administration Panel you need to enter your username and password again, in a login form.
Is that what happens on your board? |
Yes but after i re-enter my username and password instead of bring me to the admin area i just get brought back to the forums. Then I have to click the Go to Administration Panel a 3rd time to go to the admin area. |
|
Back to top |
|
|
lumpy burgertushie Board Member
Joined: 18 Nov 2008
Posts: 266
|
Posted: Mon Jun 25, 2012 11:34 pm Post subject: Re: The Final phpBB 2 Security Vulnerability |
|
|
josiec09 wrote: | dogs and things wrote: | The standard behaviour of phpBB2 is that after you logged in as an Admin and click Go to Administration Panel you need to enter your username and password again, in a login form.
Is that what happens on your board? |
Yes but after i re-enter my username and password instead of bring me to the admin area i just get brought back to the forums. Then I have to click the Go to Administration Panel a 3rd time to go to the admin area. |
what are your cookie settings?
robert |
|
Back to top |
|
|
|