As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

Security Update.

ÄlphämönkëyÄlphämönkëy Registered User regular
I made a quick security update. If you own\administer your own phpBB board, I advise you do the same
[quote=psoTFX]Open viewtopic.php in any text editor. Find the following section of code:
// 
// Was a highlight request part of the URI? 
// 
$highlight_match = $highlight = ''; 
if (isset($HTTP_GET_VARS['highlight'])) 
{ 
   // Split words and phrases 
   $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight'])))); 

   for($i = 0; $i < sizeof($words); $i++) 
   {
and replace with:
// 
// Was a highlight request part of the URI? 
// 
$highlight_match = $highlight = ''; 
if (isset($HTTP_GET_VARS['highlight'])) 
{ 
   // Split words and phrases 
   $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight']))); 

   for($i = 0; $i < sizeof($words); $i++) 
   {
[/quote]

Älphämönkëy on

Posts

  • DogDog Registered User, Administrator, Vanilla Staff admin
    edited November 2004
    I see the change, but what does removing the urldecode() do?

    Unknown User on
  • EchoEcho Moderator mod
    edited November 2004
    Sounds like an injection attack.

    Echo on
    Echo wrote: »
    Let they who have not posted about their balls in the wrong thread cast the first stone.
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited November 2004
    Echo wrote:
    Sounds like an injection attack.
    It is, I actually disabled highlighting for a few days while the phpBB group learned that this was indeed a security issue. There should be 3 more they patch with their upcomming version (2.0.11) if Im counting correctly. If they dont release 2.0.11 by Thanksgiving, PM me and I will give you some of my patches.

    Älphämönkëy on
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited November 2004
    Remember that 2.0.11 release I was talking about? Just happened. Im hand patching the forums. Both forums. If things break, let me know.

    Älphämönkëy on
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited November 2004
    Ack!
    I didnt know about this one
    *** phpbb210/includes/functions.php	Sun Jul 18 01:13:57 2004
    --- phpbb2011/includes/functions.php	Thu Nov 18 21:02:11 2004
    ***************
    *** 6,12 ****
       *   copyright            : (C) 2001 The phpBB Group
       *   email                : [email][email protected][/email]
       *
    !  *   $Id: functions.php,v 1.133.2.32 2004/07/17 13:48:31 acydburn Exp $
       *
       *
       ***************************************************************************/
    --- 6,12 ----
       *   copyright            : (C) 2001 The phpBB Group
       *   email                : [email][email protected][/email]
       *
    !  *   $Id: functions.php,v 1.133.2.33 2004/11/18 17:49:42 acydburn Exp $
       *
       *
       ***************************************************************************/
    ***************
    *** 74,79 ****
    --- 74,89 ----
      	return false;
      }
      
    + // added at phpBB 2.0.11 to properly format the username
    + function phpbb_clean_username($username)
    + {
    + 	$username = htmlspecialchars(rtrim(trim($username), "\\"));
    + 	$username = substr(str_replace("\\'", "'", $username), 0, 25);
    + 	$username = str_replace("'", "\\'", $username);
    + 
    + 	return $username;
    + }
    +
    
    Thats nasty.

    Älphämönkëy on
  • denihilistdenihilist Ancient and Mighty Registered User, Moderator mod
    edited November 2004
    I love it when you talk tech.

    More about hashes please!

    denihilist on
  • JasconiusJasconius sword criminal mad onlineRegistered User regular
    edited November 2004
    phpBB.... 1000 monkeys at 1000 keyboards CAN do something useful.

    :D

    Jasconius on
  • PaladinPaladin Registered User regular
    edited November 2004
    Nooooo I wanted to exploit stuff

    Paladin on
    Marty: The future, it's where you're going?
    Doc: That's right, twenty five years into the future. I've always dreamed on seeing the future, looking beyond my years, seeing the progress of mankind. I'll also be able to see who wins the next twenty-five world series.
  • SzechuanosaurusSzechuanosaurus Registered User, ClubPA regular
    edited November 2004
    words = explode

    OH NOES!



    Yeah, I know nothing about php.

    Szechuanosaurus on
  • DeusfauxDeusfaux Registered User regular
    edited November 2004
    alpha when you said in that other thread that you wont be adding new features..


    ... did you mean until after the "january" upgrade? or ever?

    Deusfaux on
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited November 2004
    words = explode

    OH NOES!



    Yeah, I know nothing about php.

    similar to split, but without the regex

    Orthanc on
    orthanc
  • SzechuanosaurusSzechuanosaurus Registered User, ClubPA regular
    edited November 2004
    Orthanc wrote:
    words = explode

    OH NOES!



    Yeah, I know nothing about php.

    similar to split, but without the regex

    I don't understand Maori either.

    What is it...something to do with the word highlight thing when you're viewing a thread that works when you do a search...so a word split does what? Something to do with testing each word to see if it matches the word you've told it to highlight presumably. Right? What made that a security issue before?

    Szechuanosaurus on
  • BesigedBBesigedB Registered User, ClubPA regular
    edited November 2004
    unfortunately the function removelameness(string) does not yet exist

    BesigedB on
    this is a small sig to not get in your way
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited November 2004
    Deusfaux wrote:
    alpha when you said in that other thread that you wont be adding new features..


    ... did you mean until after the "january" upgrade? or ever?
    After the January upgrade.

    Älphämönkëy on
  • PheezerPheezer Registered User, ClubPA regular
    edited November 2004
    Deusfaux wrote:
    alpha when you said in that other thread that you wont be adding new features..


    ... did you mean until after the "january" upgrade? or ever?
    After the January upgrade.

    I think what Deusfaux is trying to say is that he doesn't understand the difference between "new features" and "security patches".

    Pheezer on
    IT'S GOT ME REACHING IN MY POCKET IT'S GOT ME FORKING OVER CASH
    CUZ THERE'S SOMETHING IN THE MIDDLE AND IT'S GIVING ME A RASH
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited November 2004
    pheezer wrote:
    Deusfaux wrote:
    alpha when you said in that other thread that you wont be adding new features..


    ... did you mean until after the "january" upgrade? or ever?
    After the January upgrade.

    I think what Deusfaux is trying to say is that he doesn't understand the difference between "new features" and "security patches".
    Ah. Security patches to me are things that jeapordize the security of the Penny Arcade main website, and thus need to be fixed. New features are things that are nice to have, but if they didn't happen it wouldn't be the end of the world.

    Älphämönkëy on
  • DogDog Registered User, Administrator, Vanilla Staff admin
    edited November 2004
    pheezer wrote:
    Deusfaux wrote:
    alpha when you said in that other thread that you wont be adding new features..


    ... did you mean until after the "january" upgrade? or ever?
    After the January upgrade.

    I think what Deusfaux is trying to say is that he doesn't understand the difference between "new features" and "security patches".
    Ah. Security patches to me are things that jeapordize the security of the Penny Arcade main website, and thus need to be fixed. New features are things that are nice to have, but if they didn't happen it wouldn't be the end of the world.

    I don't think the forums crashing would be the end of the world. :P

    Also, you never did answer my question as to how this is a security flaw. I must be having a stupid moment cuz I'm sure it's really easy to figure out. If it's sooper seekrit, would you mind PM/IMing me rather than making it public.

    Thanks. :)

    Unknown User on
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited November 2004
    I don't think the forums crashing would be the end of the world. :P

    Also, you never did answer my question as to how this is a security flaw. I must be having a stupid moment cuz I'm sure it's really easy to figure out. If it's sooper seekrit, would you mind PM/IMing me rather than making it public.

    Thanks. :)
    Done.

    Its not the forums I worry about, it is the main site. We share the same uid as far as PHP is concerned, you can see where that leads. I'll IM you.

    Älphämönkëy on
  • 90X Double Side90X Double Side Registered User
    edited November 2004
    Secunia has a writeup now:

    http://secunia.com/advisories/13239/

    90X Double Side on
  • FalloutFallout GIRL'S DAY WAS PRETTY GOOD WHILE THEY LASTEDRegistered User regular
    edited November 2004
    What kind of things does this keep people from doing?

    I don't know what an injection attack is unless we're talking like implanting alien eggs in the site or something

    Fallout on
    xcomsig.png
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited November 2004
    Fallout wrote:
    What kind of things does this keep people from doing?

    I don't know what an injection attack is unless we're talking like implanting alien eggs in the site or something

    Injection attacks in the general sence mean that you are able to "inject" some code somewhere you shouldn't.

    A classic example would be if someone doesn't check a username properly before putting it into the database. This can then allow someone to change the query to change the database, such as by giving them admin rites.

    Injection attacks can happen anywhere you use a user suppled sting in a way that it can be executed. SQL injections (like the one described above) are probably the most common, but in some situations it's also possible to have insertion attacks that affect html or even have code executed on the command line.

    Orthanc on
    orthanc
  • DeusfauxDeusfaux Registered User regular
    edited November 2004
    pheezer wrote:
    Deusfaux wrote:
    alpha when you said in that other thread that you wont be adding new features..


    ... did you mean until after the "january" upgrade? or ever?
    After the January upgrade.

    I think what Deusfaux is trying to say is that he doesn't understand the difference between "new features" and "security patches".

    I think I meant exactly what I asked, dumbshit:
    alphamokey wrote:
    Besides, the forum code is "semi frozen," meaning I wont be adding new features, only bug fixes.


    So I asked if that held for just until after the Jan upgrade or ever, or when. Alpha answered it in exactly the way it asked. Dont know why you felt you needed to get involved. Don't pretend "to be nice".

    Deusfaux on
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited November 2004
    Orthanc wrote:
    Fallout wrote:
    What kind of things does this keep people from doing?

    I don't know what an injection attack is unless we're talking like implanting alien eggs in the site or something

    Injection attacks in the general sence mean that you are able to "inject" some code somewhere you shouldn't.

    A classic example would be if someone doesn't check a username properly before putting it into the database. This can then allow someone to change the query to change the database, such as by giving them admin rites.

    Injection attacks can happen anywhere you use a user suppled sting in a way that it can be executed. SQL injections (like the one described above) are probably the most common, but in some situations it's also possible to have insertion attacks that affect html or even have code executed on the command line.
    Actually, the highlighting one was a code execution vulnerability, atleast as far as I understand it. And Orthanc described it better than I could have.

    Älphämönkëy on
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited November 2004
    Deusfaux wrote:
    I think I meant exactly what I asked, dumbshit:
    Thats enough of that. If you and Pheezer have something you need to take care of, please do it privately.

    Älphämönkëy on
  • DeusfauxDeusfaux Registered User regular
    edited November 2004
    Deusfaux wrote:
    I think I meant exactly what I asked, dumbshit:
    Thats enough of that. If you and Pheezer have something you need to take care of, please do it privately.

    sorry, that was built up from reading snide comment after comment aimed at myself from him, here in Monkey Den. i will go back to ignoring them, and hope he gives it up.

    looking forward to january and thereafter though :^:

    Deusfaux on
  • PaladinPaladin Registered User regular
    edited November 2004
    This doesn't have anything to do with that Font Size/Font Color highlighting bug, does it?

    Paladin on
    Marty: The future, it's where you're going?
    Doc: That's right, twenty five years into the future. I've always dreamed on seeing the future, looking beyond my years, seeing the progress of mankind. I'll also be able to see who wins the next twenty-five world series.
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited November 2004
    Paladin wrote:
    This doesn't have anything to do with that Font Size/Font Color highlighting bug, does it?
    No, it has to do with searching.

    Älphämönkëy on
  • PaladinPaladin Registered User regular
    edited November 2004
    Paladin wrote:
    This doesn't have anything to do with that Font Size/Font Color highlighting bug, does it?
    No, it has to do with searching.
    I really miss the bug forum :(((((

    Paladin on
    Marty: The future, it's where you're going?
    Doc: That's right, twenty five years into the future. I've always dreamed on seeing the future, looking beyond my years, seeing the progress of mankind. I'll also be able to see who wins the next twenty-five world series.
  • FalloutFallout GIRL'S DAY WAS PRETTY GOOD WHILE THEY LASTEDRegistered User regular
    edited November 2004
    Thanks for the explanation, Orthanc :^:

    Fallout on
    xcomsig.png
Sign In or Register to comment.