Another Exploit In Phpbb 2.0.17 ...

[GM-University1405241492 0]

Acyd Burn the Development Team Leader of phpBB posted this today, looks like another phpBB exploit... here's the upgrade link, upgrade now... https://www.phpbb.com/downloads/

 

Hi everyone,

 

phpBB Group announces the release of phpBB 2.0.17, the "no, we did not forget naming it last time" release. This release addresses several bugfixes and some low security issues as well as the recently seemingly wide-spread XSS issue (only affecting Internet Explorer).

 

Please have a look down this announcement for the code changes necessary to fix the XSS issue, we are again astounded about the energy people put into finding the smallest issue in phpBB 2.0.x, those must have a lot of time available. But on the other hand it is always increasing the products security since we do not introduce new features into the 2.0.x codebase.

 

With this announcement I want to give you some more information regarding phpBB's security. psoTFX (Paul S. Owen, Project Manager) initiated and brought forward the idea and concept of a complete security audit of the 2.0.x codebase. We introduced some top-notch security people, phpBB-Modders and very talented people from our teams to participate in this audit. We intend to implement the changes necessary - and also fixing the found issues, hopefully giving the now very aged codebase (it is still on a technical level from three years ago) a lift and bringing it up-to-date with security mechanisms and techniques which are common nowadays.

 

We also intend to open our private bugtracker system to the public for reporting 2.0.x bugs within the next days.

 

As with all new releases we urge you to update as soon as possible. You can of course find this download available on our downloads page. As per usual three packages are available to simplify your update.

 

 

    * Full Package

      Contains entire phpBB2 source and English language package

    * Changed Files Only

      Contains only those files changed from previous versions of phpBB. Please note this archive contains changed files for each previous release

    * Patch Files

      Contains patch compatible patches from the previous versions of phpBB.

 

 

 

As always, our Code Changes Tutorial is available too for those with heavily modded boards.

It can be downloaded from this location.

 

Select whichever package is most suitable for you.

 

Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation or updates!.

 

What has changed in this release?

 

The changelog (contained within this release) is as follows:

 

 

    * Added extra checks to the deletion code in privmsg.php - reported by party_fan

    * Fixed XSS issue in IE using the url BBCode

    * Fixed admin activation so that you must have administrator rights to activate accounts in this mode - reported by ieure

    * Fixed get_username returning wrong row for usernames beginning with numerics - reported by Ptirhiik

    * Pass username through phpbb_clean_username within validate_username function - AnthraX101

    * Fixed PHP error in message_die function

    * Fixed incorrect generation of {postrow.SEARCH_IMG} tag in viewtopic.php - reported by Double_J

    * Also fixed above issue in usercp_viewprofile.php

    * Fixed incorrect setting of user_level on pending members if a group is granted moderator rights - reported by halochat

    * Fixed ordering of forums on admin_ug_auth.php to be consistant with other pages

    * Correctly set username on posts when deleting a user from the admin panel

 

 

 

 

Code changes to fix the XSS issue

 

Open includes/bbcode.php

 

Find (around Line 203):

  $patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";   $replacements[] = $bbcode_tpl['url1'];   // [url]https://www.phpbb.com/; code.. (no xxxx:// prefix).   $patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";   $replacements[] = $bbcode_tpl['url2'];   // [url=xxxx://https://www.phpbb.com/; code..   $patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";   $replacements[] = $bbcode_tpl['url3'];   // [url=https://www.phpbb.com/; code.. (no xxxx:// prefix).   $patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";

Replace with:

 

$patterns[] = "#\[url\]([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is";   $replacements[] = $bbcode_tpl['url1'];   // [url]https://www.phpbb.com/; code.. (no xxxx:// prefix).   $patterns[] = "#\[url\]((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is";   $replacements[] = $bbcode_tpl['url2'];   // [url=xxxx://https://www.phpbb.com/; code..   $patterns[] = "#\[url=([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is";   $replacements[] = $bbcode_tpl['url3'];   // [url=https://www.phpbb.com/; code.. (no xxxx:// prefix).   $patterns[] = "#\[url=((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is";

Find (around Line 627):

 

$ret = preg_replace("#(^|[\n ])([\w]+?://[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret);   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing   // Must contain at least 2 dots. xxxx contains either alphanum, or "-"   // zzzz is optional.. will contain everything up to the first space, newline,   // comma, double quote or <.   $ret = preg_replace("#(^|[\n ])((www|ftp)\.[^ \"\t\n\r<]*)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret);

[/code]

 

 

Replace with:

 

$ret = preg_replace("#(^|[\n ])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret);   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing   // Must contain at least 2 dots. xxxx contains either alphanum, or "-"   // zzzz is optional.. will contain everything up to the first space, newline,   // comma, double quote or <.   $ret = preg_replace("#(^|[\n ])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret);

the phpBB Group

-----Quotes added, posts merged-----szupie

 

Crap, I forgot to put that in quotes, can someone do that for me?

Edited August 2, 2005 by microscopic^earthling (see edit history)

[Trekkie101 0]

http://www.simplemachines.org/ - Convert Today, to a More Secure and Better BBS system -Sorry for plug-Right, Another phpBB flaw, it took them about a week to patch this one, and its been public knowledge it existed. And you know what makes me ever madder, is that ONLY NOW have they decided to audit phpBB's security. But I thought they said phpBB 3 was JUST around the corner, what did it do, stop for a bagel? Come on phpBB, either get it sorted, or tell your users to switch.

[GM-University1405241492 0]

I started using SMF for some stuff on my site, and I have to say it is good... I'm using SMF 1.1 Beta 3, it's nice... It's also given me a few ideas for my own forum software, such as that plugin page in the ACP, that is NICE!!!

[matrixlover 0]

Yea I've seen the Demo of Phpbb 3. It doesn't look like it has a lot of changes to it. I'm probably wrong but I'm just judging by the demo. I plan to install the Current Version of Phpbb soon, so should I wait for 3 to come out?

[Trekkie101 0]

I wouldnt wait for phpBB3 or use the insecure phpBB2You might wanna look for a better free script IMO like SMF (http://www.simplemachines.org/)

[xboxrulz1405241485 0]

I would use Mercury Board instead. It is way easier to use.http://forums.xisto.com/no_longer_exists/

[matrixlover 0]

I dunno I kinda of like Phpbb right now. I'm not a big fan of Invision Board or the other ones. Plus you can get like Cash Mods and Shop mod for phpbb, I don't know if anyone has made them for simple machines or mecury.

[Trekkie101 0]

Shop Mod for SMF has the same functionality as the cash mod and shop mod in one package. Up to you ofcourse if you want to try SMF. phpBB just getting a very bad reputation.