 |
|
|
|
| Autor |
Nachricht |
stefan
Administrator
Anmeldungsdatum: 02.08.2002
Beiträge: 4735
Wohnort: Aachen
|
 Verfasst am:
Mo 01 März, 2004 23:09 |
   |
This was posted today at www.phpbb.com:
A new release of phpBB 2.0.6 is now available for download, phpBB 2.0.6d. This addresses a vulnerability in viewtopic, a potential issue with login and may address current issues with Zend Optimizer 2.5.
The viewtopic vulnerability, again released to bugtraq without us first being notified ... sigh, is of the cross-site scripting type. While relatively minor it can allow information to be obtained without the users direct knowledge. Thus we recommend all admins upgrade their board as soon as possible. The relevant fix is noted below. The login issue is similar in nature and has been addressed to counter potential future problems.
A number of people have encountered problems running phpBB (and other applications) on servers using Zend Optimizer 2.5 (note the number!). While this is not directly a phpBB issue a keen user, jetset, has discovered a number of code additions which should reduce or remove this problem. These fixes are included in the new packages. Because they involve a number of files they are not noted in this topic. Zend do seem to be aware of problems with the optimiser and are planning an updated release in the near future.
Vulnerability fix:
Open viewtopic.php in your favourite text editor. Find the following section of code:
| Code: |
//
// Decide how to order the post display
//
if ( !empty($HTTP_POST_VARS['postorder']) || !empty($HTTP_GET_VARS['postorder']) )
{
$post_order = (!empty($HTTP_POST_VARS['postorder'])) ? $HTTP_POST_VARS['postorder'] : $HTTP_GET_VARS['postorder'];
$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
$post_order = 'asc';
$post_time_order = 'ASC';
} |
Replace this with:
| Code: |
//
// Decide how to order the post display
//
if ( !empty($HTTP_POST_VARS['postorder']) || !empty($HTTP_GET_VARS['postorder']) )
{
$post_order = (!empty($HTTP_POST_VARS['postorder'])) ? htmlspecialchars($HTTP_POST_VARS['postorder']) : htmlspecialchars($HTTP_GET_VARS['postorder']);
$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
$post_order = 'asc';
$post_time_order = 'ASC';
} |
Double check your changes!, save the file and upload it over your old viewtopic.php. Please remember we know this change works! If you encounter any errors it is almost certainly something you've done. So recheck your code and ensure it looks as above, do not change any other lines.
The Files in our Download Section have already been updated with the new version. |
|
|
      |
|
Google
|
| Verfasst am:
|
|
|
|
|
JoeHK2003
phpBB2.de User
Anmeldungsdatum: 08.12.2003
Beiträge: 178
|
| Verfasst am:
Di 02 März, 2004 09:41 |
 |
How about this :
"The login issue is similar in nature and has been addressed to counter potential future problems"
Can anyone list the change of this relevant fix ? |
_________________
 |
|
 |
|
|
|
|
|
|
Nächstes Thema anzeigen
Vorheriges Thema anzeigen
Du kannst keine Beiträge in dieses Forum schreiben.
Du kannst auf Beiträge in diesem Forum nicht antworten.
Du kannst deine Beiträge in diesem Forum nicht bearbeiten.
Du kannst deine Beiträge in diesem Forum nicht löschen.
Du kannst an Umfragen in diesem Forum nicht mitmachen.
Du kannst Dateien in diesem Forum nicht posten
Du kannst Dateien in diesem Forum nicht herunterladen
|
|
| |
![[netclusive - internet broadcasting]](templates/fisubsilversh/images/phpbb2_logor_01.gif)
