phpBB2.de

phpBB2.de http://www.phpbb2.de/ en_us Copyright 2003, phpBB2.de http://backend.userland.com/rss phpBB 2.0.23 : CMX News Mod noreply@phpbb2.de noreply@phpbb2.de 60 Vulnerable Part in eXTreme Styles Mod - Please fix it NOW ! Thu, 27 Mar 2008 12:10:03 +0000 http://www.phpbb2.de/portal.php?topic_id=46267 NOW:

Open file admin/admin_xs.php

FIND:

Code:

if(empty($setmodules))
{
return;
}

REPLACE WITH:

Code:

if (!defined('IN_PHPBB'))
{
die('Hacking attempt');
}

if(empty($setmodules))
{
return;
}

CyberAlien post:
http://www.phpbbstyles.com/viewtopic.php?p=92240#92240

Other files, potential vulnerability:

Open /includes/functions_kb.php file

FIND:

Code:

//
// get_quick_stats();
// gets number of articles
//

BEFORE ADD:

Code:

if ( !defined('IN_PHPBB') )
{
die('Hacking attempt');
}

Open /includes/functions.php file

FIND:

Code:

//-- mod : post icon -------------------------------------------------------------------------------

BEFORE ADD:

Code:

if ( !defined('IN_PHPBB') )
{
die('Hacking attempt');
}

Thanks to ThE KuKa for Notification !]]> http://www.phpbb2.de/ftopic46267.html phpBB2 Plus 1.53a CTracker 5.0.4 Upgrade Package available Thu, 27 Sep 2007 13:20:20 +0000 http://www.phpbb2.de/portal.php?topic_id=45250
I have made a Package to Upgrade phpBB2 Plus 1.53a (Codebase 2.0.22) with the latest Cracker Tracker 5.0.4 from www.cback.de. Just follow the steps in the included readme to upgrade your CTracker to 5.0.4.

You can find the Download here:

http://www.phpbb2.de/dload.php?action=file&file_id=834]]> http://www.phpbb2.de/ftopic45250.html phpBB2 Plus 1.53a Language File Vulnerable Sat, 22 Sep 2007 21:24:35 +0000 http://www.phpbb2.de/portal.php?topic_id=45218 critical Security Hole was found in 2 Language Files of phpBB2 Plus 1.5x. Please add this fix very quickly to the following Files:

language/lang_german/lang_main_album.php
language/lang_german/lang_admin_album.php
language/lang_english/lang_main_album.php
language/lang_english/lang_admin_album.php

Open the Files and find at the Top of the file:

Code:

/***************************************************************************
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
***************************************************************************/

add below:

Code:

if ( !defined('IN_PHPBB') )
{
die('Hacking attempt');
exit;
}

Add the Code to all listed files. If you have different languages installed, also add the fix to all other languages !!!

Edit: Please add this fix also : http://www.phpbb2.de/ftopic45080.html ]]> http://www.phpbb2.de/ftopic45218.html Acronym Mod v0.9.5 Remote SQL Injection Mon, 01 Jan 2007 13:13:34 +0000 http://www.phpbb2.de/portal.php?topic_id=42127
FIND:

Code:

$acronym_id = ( isset($_GET['id']) ) ? $_GET['id'] : 0;

REPLACE WITH:

Code:

$acronym_id = ( isset($_GET['id']) ) ? intval($_GET['id']) : 0;

FIND:

Code:

$acronym_id = ( isset($_POST['id']) ) ? $_POST['id'] : 0;

REPLACE WITH:

Code:

$acronym_id = ( isset($_POST['id']) ) ? intval($_POST['id']) : 0;

FIND:

Code:

$acronym_id = ( isset($_POST['id']) ) ? $_POST['id'] : $_GET['id'];

REPLACE WITH:

Code:

$acronym_id = ( isset($_POST['id']) ) ? intval($_POST['id']) : intval($_GET['id']);

Thanks to The Kuka !]]> http://www.phpbb2.de/ftopic42127.html phpBB 2.0.22 released ! Sat, 23 Dec 2006 23:09:46 +0000 http://www.phpbb2.de/portal.php?topic_id=42034 phpBB 2.0.22 released !

phpBB 2.0.22 was released today by the phpBB Group. This release addresses several bugfixes and some security issues. Language pack authors may note that one additional language variable had been added.

It is important that you carry out both parts of the update - updating the files and running the database update script - for updates to be complete.

What has changed in this release?

The changelog (contained within this release) is as follows:

[Fix] Check for user's existence prior to showing email form
[Fix] New members of moderator groups should always become moderators (Bug #382)
[Fix] Proper message when replying to non-existant topics (Bug #459)
[Fix] Changed column type of search_array to store more ids (Bug #4058)
[Fix] Fixed annoyance with font-size selector (Bug #4612)
[Fix] Fix optimize line in database updater (Bug #6186)
[Sec] Check for the avatar upload directory reinforced
[Sec] Changes to the criteria for "bad" redirection targets - kellanved
[Sec] Fixed a non-persistent XSS issue in private messaging
[Sec] Fixing possible negative start parameter - SpiderZ.
[Sec] Added session checks to various forms - kellanved

phpBB 2.0.22 Full Package
phpBB 2.0.22 Updated Files only
phpBB 2.0.22 Patch File
phpBB 2.0.21 to phpBB 2.0.22 Code Changes

phpBB2 Plus 1.53a Core Code Changes to phpBB 2.0.22 Code

phpBB 2.0.22 incl. deutschen Sprachfiles und Grafiken]]> http://www.phpbb2.de/ftopic42034.html phpBB 2.0.21 updated ! Fri, 09 Jun 2006 10:38:41 +0000 http://www.phpbb2.de/portal.php?topic_id=39239 phpBB 2.0.21 updated !

Graham hat folgendes geschrieben:

It has come to my attention that there may be a bug in this release which will affect those who run a forum with multiple languages installed and in use and lead to the default language being changed under some circumstances.

If this issue is affecting you, the following change should resolve it.

OPEN includes/functions.php

FIND (near line 371)

Code:

$board_config['default_lang'] = $default_lang;
$userdata['user_lang'] = $default_lang;

REPLACE WITH

Code:

$userdata['user_lang'] = $default_lang;

FIND (near line 374)

Code:

elseif ( $board_config['default_lang'] !== $default_lang )

REPLACE WITH

Code:

elseif ( $userdata['user_id'] === ANONYMOUS && $board_config['default_lang'] !== $default_lang )

FIND (near line 384)

Code:

$board_config['default_lang'] = $default_lang;
}

REPLACE WITH

Code:

}

$board_config['default_lang'] = $default_lang;

*new files comming soon*]]> http://www.phpbb2.de/ftopic39239.html phpBB 2.0.21 released ! Wed, 07 Jun 2006 22:43:13 +0000 http://www.phpbb2.de/portal.php?topic_id=39203 phpBB 2.0.21 released !

phpBB 2.0.21, "Bertie's Summer Vacation" was released today by the phpBB Group. "This release is a cumulative bug fix update, as well as including a number of minor security fixes. We have altered the visual confirmation system used on servers without zlib enabled to bring it up to the same level as that used elsewhere and made a few small performance improvements.

It is important that you carry out both parts of the update - updating the files and running the database update script - for updates to be complete.

What has changed in this release?

The changelog (contained within this release) is as follows:

[Fix] Changes to random number generator code to explicitly truncate the length of the string
[Fix] Quoting on boards with HTML enabled
[Fix] Special characters on boards with HTML enabled
[Fix] Redirect to list if cancelling deletion of ranks, smilies or word censors
[Fix] Missing error message if an inactive user tried to login (Bug #1598)
[Fix] Do not alter post counts when just removing a poll (Bug #1602)
[Fix] Correct error in removal of old session keys
[Fix] Changed filtering of short search terms
[Sec] Improved filtering on language selection (also addresses a number of bug reports related to missing languages)
[Change] Backported more efficient highlighting code from Olympus
[Change] Backported zlib emulation code so that there is only a single confirmation image even if zlib is not available

phpBB 2.0.21 Full Package
phpBB 2.0.21 Updated Files only
phpBB 2.0.21 Patch File
phpBB 2.0.21 to phpBB 2.0.21 Code Changes

phpBB2 Plus 1.53 Code Changes to 2.0.21 Code]]> http://www.phpbb2.de/ftopic39203.html Server Maintenance on Friday June 16th ! Wed, 07 Jun 2006 09:53:04 +0000 http://www.phpbb2.de/portal.php?topic_id=39184 June 16th. The Server and our Site will be offline from early Morning this day. Maintenance may take some hours, we hope to be back again online Friday afternoon.]]> http://www.phpbb2.de/ftopic39184.html 2 more Vulnerable Files ! Wed, 31 May 2006 08:14:43 +0000 http://www.phpbb2.de/portal.php?topic_id=39022
Open pafiledb/includes/pafiledb_constants.php

find:

Code:

add below:

Code:

if ( !defined('IN_PHPBB') )
{
die ("Hacking attempt!");
}

open admin/admin_hacks_list.php

find:

Code:

$phpbb_root_path = '../';
if( !empty($setmodules) )
{
include($phpbb_root_path . 'language/lang_' . $board_config['default_lang'] . '/lang_admin_hacks_list.' . $phpEx);
$filename = basename(__FILE__);
$module['General']['Hacks_List'] = $filename;

return;
}

include($phpbb_root_path . 'extension.inc');
(file_exists('pagestart.' . $phpEx)) ? include('pagestart.' . $phpEx) : include('pagestart.inc');

replace with:

Code:

if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module['General']['Hacks_List'] = $filename;

return;
}

$phpbb_root_path = './../';
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);

Also you must fix this one in the Knowledgebase Mod, if you did not already:

http://www.phpbb2.de/ftopic38976.html]]> http://www.phpbb2.de/ftopic39022.html Vulnerability in kb_constants.php Sun, 28 May 2006 22:20:21 +0000 http://www.phpbb2.de/portal.php?topic_id=38976
Find:

Code:

// ---------------------------------------------------------------------START
// This file defines specific constants for the module

ADD BEFORE:

Code:

if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
}

Please do it now and not later !

I have updated the Download-Package with this fix already.]]> http://www.phpbb2.de/ftopic38976.html AJAX Mod Support Tue, 18 Apr 2006 22:47:23 +0000 http://www.phpbb2.de/portal.php?topic_id=38004
All support-questions about the modified Plus-Version can only be asked and answered here at www.phpbb2.de. Please don't sent support-requests by PM or E-Mail.

Thanks]]> http://www.phpbb2.de/ftopic38004.html phpBB2 Plus 1.53 Released ! Sat, 08 Apr 2006 14:13:20 +0000 http://www.phpbb2.de/portal.php?topic_id=37634 phpBB2 Plus 1.53 released !

With the Release of phpBB 2.0.20, "Golden Super Furry Linen" Edition we have decided to integrate these last changes and release the long awaited Final Version of phpBB2 Plus 1.53 which is a Major Update of the popular phpBB2 Plus Series.

There is too much changes since 1.52 to list them all in this announcement, Tons of Bugfixes, Improvements and new Functions were added since 1.52 was released. All changes are listed in the 1.53 changelog which is included in the Zip Package. Update Scripts for earlier phpBB2 and Plus-Versions are included in the Zip-Package, so you should be able to upgrade your current version to phpBB2 Plus 1.53. If you have problems or questions please post them in the Support Forums.

phpBB2 Plus 1.53 Full Package
phpBB2 Plus 1.53 Beta9 Code Changes from 2.0.19 to 2.0.20
phpBB2 Plus 1.53 Beta9 Update Files from 2.0.19 to 2.0.20]]> http://www.phpbb2.de/ftopic37634.html phpBB 2.0.20 released Fri, 07 Apr 2006 20:26:41 +0000 http://www.phpbb2.de/portal.php?topic_id=37620 phpBB 2.0.20 released !

phpBB 2.0.20, "Golden Super Furry Linen" was released today by the phpBB Group. "This release is a cumulative bug fix update, as well as including a number of minor security fixes. We have also introduced a new feature to allow you to limit how often a user may conduct a search if you find that searches are putting a load on your server, as well as changing the default permissions on new forums so that you must explicitly make them available for guests to post in and enabling visual confirmation by default on all new installs."

It is important that you carry out both parts of the update - updating the files and running the database update script - for updates to be complete.

What has changed in this release?

The changelog (contained within this release) is as follows:

[Fix] Prevent login attempts from incrementing for inactive users
[Fix] Do not check maximum login attempts on re-authentication to the admin panel - tomknight
[Fix] Regenerate session keys on password change
[Fix] retrieving category rows in index.php (Bug #90)
[Fix] improved index performance by determining the permissions before iterating through all forums (Bug #91)
[Fix] Better handling of short usernames within the search (bug #105)
[Fix] Send a no-cache header on admin pages as well as normal board pages (Bug #149)
[Fix] Apply word censors to the message when quoting it (Bug #405)
[Fix] Improved performance of query in admin_groups (Bug #753)
[Fix] Workaround for an issue in either PHP or MSSQL resulting in a space being returned instead of an empty string (bug #830)
[Fix] Correct use of default_style config value (Bug #861)
[Fix] Replace unneeded unset calls in admin_db_utilities.php - vanderaj
[Fix] Improved error handling in modcp.php
[Fix] Improved handling of forums to which the user does not have any explicit permissions - vanderaj
[Fix] Assorted fixes and cleanup of admin_ranks.php, now requires confirmation of deletions
[Fix] Assorted fixes and cleanup of admin_words.php, now requires confirmation of deletions
[Fix] Addition and editing of smilies can no longer be performed via GET, now requires confirmation of deletions
[Fix] Escape group names in admin_groups.php
[Sec] Replace strip_tags with htmlspecialchars in private message subject
[Sec] Some changes to HTML handling if enabled
[Sec] Escape any special characters in reverse dns - Anthrax101
[Sec] Typecast poll id values - Anthrax101
[Sec] Added configurable search flood control to reduce the effect of DoS style attacks
[Sec] Changed the way we create "random" values for use as keys - chinchilla/Anthrax101
[Sec] Enabled Visual Confirmation by default
[Change] Changed handling of the case where a selected style doesn't exist in the database
[Change] Changed handling of topic pruning to improve performance
[Change] Changed default forum permissions to only allow registered users to post in new forums

phpBB 2.0.20 Full Package
phpBB 2.0.20 Updated Files only
phpBB 2.0.20 Patch File
phpBB 2.0.19 to phpBB 2.0.20 Code Changes]]> http://www.phpbb2.de/ftopic37620.html phpBB 2.0.19 released Fri, 30 Dec 2005 15:07:14 +0000 http://www.phpbb2.de/portal.php?topic_id=35046 phpBB 2.0.19 released !

phpBB 2.0.19, "we wish you all a happy new year" was released today by the phpBB Group. "This release addresses several bugfixes and some security issues only affecting Internet Explorer. Additionally we introduced a new feature to limit the number of logins. The admin is able to configure this feature on two ways, defining the number of maximum allowed logins and setting a time period after the user is allowed to login again. With this feature we hope to address the recent dictionary attacks happening on some forums to crack user passwords."

It is important that you carry out both parts of the update - updating the files and running the database update script - for updates to be complete.

What has changed in this release?

The changelog (contained within this release) is as follows:

[Fix] corrected index on session keys table under MS SQL
[Fix] added session keys table to backup
[Fix] delete session keys entries when deleting user
[Fix] changes to support MySQL 5.0
[Fix] changes to some of the admin files to improve efficiency and remove a potential error condition when building the menu
[Fix] change truncation of username length in usercp_register.php - BFUK
[Fix] incorrect path to avatars in admin_users.php (Bug #667)
[Fix] fixed get_userdata to support correct sql escaping (non-mysql dbs) - jarnaez
[Fix] fixed captcha for those not having the zlib extension enabled
[Change] Placed version information above who is online in admin panel for better visual presence
[Sec] fixed XSS issue (only valid for Internet Explorer) within the url bbcode
[Sec] fixed XSS issue (only valid for Internet Explorer) if html tags are allowed and enabled
[Sec] added configurable maximum login attempts to prevent dictionary attacks

phpBB 2.0.19 Full Package
phpBB 2.0.19 Updated Files only
phpBB 2.0.19 Patch File
phpBB 2.0.18 to phpBB 2.0.19 Code Changes]]> http://www.phpbb2.de/ftopic35046.html Update for phpBB2 Plus 1.52 to 2.0.18 Core Code available Tue, 01 Nov 2005 00:05:58 +0000 http://www.phpbb2.de/portal.php?topic_id=33561
Edit: There is also manual Upgrade instructions available now

Get the Package here
Manual Upgrade Instructions for phpBB2 Plus 1.5x

Happy Updating]]> http://www.phpbb2.de/ftopic33561.html