phpBB Styles

[venky7]

Folks... please forgive me for asking what might be construed as a dumb question

I help to run a forum that runs on phpBB 2.0.4. But we have made many many changes to it over the years and are reluctant to migrate and reinvent the wheel as far as our changes are concerned. Yes, i know, we deserve to be shot.

Anyway, a question regarding the exploits mentioned at viewtopic.php?t=1904 and viewtopic.php?p=10173

A simple alternative would be to disable the set and get cookies in includes/sessions.php . Of course, this would also mean that the "automatic login" which depends on the cookies will not work, but otherwise this is pretty foolproof as far as the unserialize exploit is concerned, isn't it?

Please correct me if i am wrong.

Thanks and regards


Venky

[UseLess]

Greetings,

If your using version 2.0.4 of phpBB then you have more to worry about than the problem you mention. Someone could make themselves an admin and remove all other admins/mods, they could delete the database or parts of it etc etc etc

You should apply the code changes to the phpBB files, the code changes can be got here: http://www.phpbb.com/phpBB/catdb.php?cat=48 although I don't see the code changes for 2.0.4 to 2.0.5

[venky7]

[quote user="UseLess" post="85955"]Greetings,

If your using version 2.0.4 of phpBB then you have more to worry about than the problem you mention. Someone could make themselves an admin and remove all other admins/mods, they could delete the database or parts of it etc etc etc

You should apply the code changes to the phpBB files, the code changes can be got here: http://www.phpbb.com/phpBB/catdb.php?cat=48 although I don't see the code changes for 2.0.4 to 2.0.5[/quote]

Thank you Useless (nice username, although it is somewhat of an oxymoron, going by your past posts/replies )

Ideas on how someone could make themselves as admin could help so that i could try to fix the unserialize or other possible exploits.

Regards

Venky

[UseLess]

Greetings,

You'd need to look at the code changes as some of the exploits were not fixed until later versions of phpBB. But basically anything got from a form or to be placed in the db needs to be sanitised before it's placed or used where it's intended to be.

This should help... http://www.phpbb.com/phpBB/viewtopic.php?t=218443

And the code changes will allow you to update phpBB as the changes contain instructions for the updates for modified forums. The only downside is your going to have to go through;

- 2.0.4 to 2.0.5
- 2.0.5 to 2.0.6
- 2.0.6 to 2.0.7
- 2.0.7 to 2.0.8

etc until you get to;

- 2.0.21 to 2.0.22

If you do decide to go this route then don't forget to run, if applicable, the file 'install/update_to_latest.php' to update the db schema and the phpBB version number.

The other choice you have is to start with a fresh install of 2.0.22 and then install all the mods you have on your current forum, you could also take the oppourtunity to use later/updated versions of the mods.

But either way you need to be using phpBB 2.0.22 at least.

[Synaptic Anarchy]

[quote user="UseLess" post="85959"]
The other choice you have is to start with a fresh install of 2.0.22 and then install all the mods you have on your current forum, you could also take the oppourtunity to use later/updated versions of the mods.[/quote]

No matter how many MODs you have, it will be easier and safer to simply install a fresh phpBB 2.0.22 and re-installyour mods on it.

Being on 2.0.4 is inexcusable, not because "oh, look at the newbie, he's not up-to-date!" but because you've left yourself open to exploits that any newbie could figure out based on the update changes.

Remember, the updates are like clear signs to some people, for how to "hack" your site. Just get the new version up.