Vulnerable Part in eXTreme Styles Mod - Please fix it NOW !

A Security Hole was found in the eXtreme Styles Mod which is also used in phpBB2 Plus 1.5x. You should apply this fix NOW:

Open file admin/admin_xs.php

FIND:

Code:

if(empty($setmodules))
{
return;
}

REPLACE WITH:

Code:

if (!defined('IN_PHPBB'))
{
die('Hacking attempt');
}

if(empty($setmodules))
{
return;
}

CyberAlien post:
http://www.phpbbstyles.com/viewtopic.php?p=92240#92240

Other files, potential vulnerability:

Open /includes/functions_kb.php file

FIND:

Code:

//
// get_quick_stats();
// gets number of articles
//

BEFORE ADD:

Code:

if ( !defined('IN_PHPBB') )
{
die('Hacking attempt');
}

Open /includes/functions.php file

FIND:

Code:

//-- mod : post icon -------------------------------------------------------------------------------

BEFORE ADD:

Code:

if ( !defined('IN_PHPBB') )
{
die('Hacking attempt');
}

Thanks to ThE KuKa for Notification !

thanks for the update Kuka! Stefan, whats the good word? Any other updates planned for Plus?

Best,
jB

phpBB2.de User Joined: 06 Aug 2003 Posts: 140

Another one; in includes/kb_cat.php replace the 29. line

Code:

$category_id = $_GET['cat'];

with

Code:

$category_id = ( isset( $HTTP_GET_VARS['cat'] ) ) ? intval ( $HTTP_GET_VARS['cat']) : intval ( $HTTP_POST_VARS['cat'] );

- an exploit is in the wild, so this fix should be applied immediately.

phpBB2.de User Joined: 01 Nov 2004 Posts: 137

Thanx the Kuka, stefan and AlleyKat..

what about jonny's question stefan? Wink

phpBB2.de User Joined: 01 Nov 2004 Posts: 137

Yesterday when i edited the file admin_xs.php portal page was working but after i edited other files portal page has disappeared again:

http://www.phpbb2.de/ftopic46012-15.html

there is a problem but i didnt understand it, what you think may be it is about CTRACKER?

http://www.phpbb2.de/ftopic40846-15.html

phpBB2.de User Joined: 24 Dec 2006 Posts: 2

Hi

I get also hacked. Here is how:
First - IP where I get hacked: 81.192.223.194 - so You can block this IP.
How:
I found from my log files this line:

Code:

/kb.php?mode=cat&cat=-99999/**/union/**/select/**/0,1,2,3,concat(user_i,char(58),username,char(58),user_password),5/**/from/**/phpbb_users/**/where/**/user_id=2/news_rss.php HTTP/1.1" 2001" 200 14024

What e-amil hacker uses: joshkof@gmail.com

What hacker has made in portal - lucky I think nothing. He get admin access and disables all other admins. Changes also portal e-mail address. I checked the apache logs and I don't find nothing suspected anymore in this IP activity. He look to the portal, changes admins and emails and thats all.

I removed kb.php file and added fixes from this thread.

But I have question about news_rss.php file. Is this also dangerous or not. Right now I removed this file also.

phpBB2.de User Joined: 14 Feb 2007 Posts: 73

Did you mean in includes/kb_cat.php we must replace :

AlleyKat wrote:

Code:

$category_id = $_GET['cat'];

To this code ?

AlleyKat wrote:

Code:

$category_id = ( isset( $HTTP_GET_VARS['cat'] ) ) ? intval ( $HTTP_GET_VARS['cat']) : intval ( $HTTP_POST_VARS['cat'] );

- an exploit is in the wild, so this fix should be applied immediately.

Am I right ?

phpBB2.de User Joined: 06 Aug 2003 Posts: 140

Choas > That is what I wrote, and that is what I meant, yes. Wink

spott > That is what the fix is supposed to block.

phpBB2.de User Joined: 14 Feb 2007 Posts: 73

Thanks alot

I found in PaFiledb some hackers can upload some hack tools and even enject database.

Any Idia ?

Change your file UPLOAD permission to ADMIN or MOD's only.

phpBB2.de User Joined: 01 Nov 2004 Posts: 137

How can we chanfe our file UPLOAD permissions, on ACP?

ACP --> Download, Permissions --> Change permissions as needed.

just ad's

TIP: Not use NEVER prefix phpbb_ use other prefix tables Wink