2 potential vulnerabilities in phpBB 2.0.6

Administrator Anmeldungsdatum: 02.08.2002 Beiträge: 4735 Wohnort: Aachen

As announced on www.phpbb.com

We have been alerted to two potential vulnerabilities in the existing 2.0.6 package. One is cross-site scripting related while another may allow specific users (group moderators) to exploit an inproper data validation issue. While it is doubtful these have been actively exploited (particularly the group moderator issue) both are serious enough to warrant you updating as soon as possible.

Our download packages here are already updated. To fix these issues manually follow these simple steps:

open privmsg.php and find:

Code:

if ( isset($HTTP_POST_VARS['folder']) || isset($HTTP_GET_VARS['folder']) )
{
$folder = ( isset($HTTP_POST_VARS['folder']) ) ? $HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];

if ( $folder != 'inbox' && $folder != 'outbox' && $folder != 'sentbox' && $folder != 'savebox' )
{
$folder = 'inbox';
}
}
else
{
$folder = 'inbox';
}

replace with:

Code:

if ( isset($HTTP_POST_VARS['folder']) || isset($HTTP_GET_VARS['folder']) )
{
$folder = ( isset($HTTP_POST_VARS['folder']) ) ? $HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
$folder = htmlspecialchars($folder);

if ( $folder != 'inbox' && $folder != 'outbox' && $folder != 'sentbox' && $folder != 'savebox' )
{
$folder = 'inbox';
}
}
else
{
$folder = 'inbox';
}

find:

Code:

if ( !empty($HTTP_POST_VARS['mode']) || !empty($HTTP_GET_VARS['mode']) )
{
$mode = ( !empty($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
}
else
{
$mode = '';
}

replace with:

Code:

if ( !empty($HTTP_POST_VARS['mode']) || !empty($HTTP_GET_VARS['mode']) )
{
$mode = ( !empty($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
$mode = htmlspecialchars($mode);
}
else
{
$mode = '';
}

Save the changes

Open groupcp.php and find:

Code:

if ( isset($HTTP_POST_VARS['mode']) || isset($HTTP_GET_VARS['mode']) )
{
$mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
}
else
{
$mode = '';
}

replace with:

Code:

if ( isset($HTTP_POST_VARS['mode']) || isset($HTTP_GET_VARS['mode']) )
{
$mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
$mode = htmlspecialchars($mode);
}
else
{
$mode = '';
}

find:

Code:

if ( ( ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) && isset($HTTP_POST_VARS['pending_members']) ) || ( isset($HTTP_POST_VARS['remove']) && isset($HTTP_POST_VARS['members']) ) )
{

$members = ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) ? $HTTP_POST_VARS['pending_members'] : $HTTP_POST_VARS['members'];

$sql_in = '';
for($i = 0; $i < count($members); $i++)
{
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];
}

replace with:

Code:

if ( ( ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) && isset($HTTP_POST_VARS['pending_members']) ) || ( isset($HTTP_POST_VARS['remove']) && isset($HTTP_POST_VARS['members']) ) )
{

$members = ( isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) ) ? $HTTP_POST_VARS['pending_members'] : $HTTP_POST_VARS['members'];

$sql_in = '';
for($i = 0; $i < count($members); $i++)
{
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . intval($members[$i]);
}

Save the changes and upload both files, replacing the existing versions.

phpBB2.de User Anmeldungsdatum: 16.08.2002 Beiträge: 719 Wohnort: Kassel

In wie fern wäre das noch für Minerva sinnvoll? (oder schon implementiert?)