TotalChoice Hosting Family Forums > Phpbb Vulnerability (versions Older Than 2.0.11)

Full Version: Phpbb Vulnerability (versions Older Than 2.0.11)

TotalChoice Hosting Family Forums > TotalChoice Hosting General Support > Security Discussions

TCH-MikeJ

Nov 30 2004, 03:07 PM

A vulnerability was discovered recently in phpBB versions prior to 2.0.11.

QUOTE

Description
===========

phpBB contains a vulnerability in the highlighting code and several
vulnerabilities in the username handling code.

Impact
======

An attacker can exploit the highlighting vulnerability to access the
PHP exec() function without restriction, allowing them to run arbitrary
commands with the rights of the web server user (for example the apache
user). Furthermore, the username handling vulnerability might be abused
to execute SQL statements on the phpBB database.

2.0.11 is now available in your cPanel and you should be able to upgrade to it via the cPanel upgrade option. If you use phpBB, you should upgrade to 2.0.11. If you have phpBB installed but are not using it, please consider uninstalling it.

Note: If you find that 2.0.11 is not available in your cPanel, please send in a support ticket.

KungFòóFairy

Nov 30 2004, 04:44 PM

My site resides on Server #86 and I don't have the option to upgrade to 2.0.11 yet; it still has the old 2.0.10 upgrade option only.

I suppose I could just download the binary from phpbb.com and manually upgrade it, but I'm just so darn lazy...

Head Guru

Nov 30 2004, 04:47 PM

Drop a ticket into support and ask that the box be upgraded and if you like reference this thread

Bill

TCH-Bruce

Nov 30 2004, 07:06 PM

Before you upgrade please backup your logo image if you changed it and your overall_header.tpl file if you modified it. And any other .tpl files you may have changed.

Then after upgrading put those files back to their proper locations.

curtis

Nov 30 2004, 09:32 PM

I probably need to open a help ticket for this but thought I would ask here first.

When I go to the phpbb page in c-panel to upgrade the box next to *upgrade an existing installation* is empty.
I tried adding the user and pass info and directory name where phpbb is installed then clicked on the upgrade button I get apage that says *Sorry, you must specifty a directory to install or upgrade*
I am using v.2.0.6 installed thru c-panel.

Suggestions?

TCH-Don

Nov 30 2004, 10:53 PM

Maybe a help ticket is worth the try to see if they know a way to get cpanel to see your current install.

One other option might be the changed files only
after a backup of mods of course.

curtis

Nov 30 2004, 11:57 PM

Its no problem. Just thought about upgrading from c-panel.

I went to phpbb site, downloaded the upgrade and replaced the changed files. I'll only have to re-install 2 or 3 Mods

Thanks Don

thehemi

Dec 8 2004, 04:04 PM

I highly suggest using the "password protect a directory"
function on the /forums/admin/ directory. Thus you add
another layer of security in case someone's able to hack
"admin rights" somehow. To admin the forums you need
phpBB admin rights AND the user/pass that you setup in
the Cpanel. You can never be too safe. I just did it now
for all of my phpBB sites. No idea why I never thought to
go ahead and do it to them in the past.

Pony99CA

Feb 14 2005, 05:59 AM

I patched the remote execution vulnerability when I read about this problem (likely on C|Net) last year. However, I had not upgraded to phpBB 2.0.11 (it didn't seem to be available on my server, if I recall).

Last Friday (2/11), I got an E-mail telling me I was running an insecure version of phpBB. I just now (2/14 2:45 AM PST or so) upgraded to 2.0.11. However, I have three questions.

First, why did it take so long to get this E-mail? This thread was started back in November, so it took over two months to get warned.

Second, the message said if I didn't upgrade within 24 hours, my forum would be disabled. I didn't notice the E-mail until 24 hours were up (my laptop died Friday, so I was worrying about that). Did my forum get disabled? It seemed to be working just before I upgraded, so I'm wondering if that "24 hours" was just a minimum or if it was actually referring to one business day (which would be appropriate for a note sent on a Friday).

Finally, I seemed to be getting some errors regarding phpBB and MySQL. Here they are:

QUOTE

[Mon Feb 14 05:34:26 2005][error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331
[Mon Feb 14 05:34:26 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330
[Mon Feb 14 05:34:26 2005] [error] PHP Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48
[Mon Feb 14 05:34:00 2005] [error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331
[Mon Feb 14 05:34:00 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330
[Mon Feb 14 05:34:00 2005] [error] PHP Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48
[Mon Feb 14 05:21:09 2005] [error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331
[Mon Feb 14 05:21:09 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330
[Mon Feb 14 05:21:09 2005] [error] PHP Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48
[Mon Feb 14 04:31:11 2005] [error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331
[Mon Feb 14 04:31:11 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330
[Mon Feb 14 04:31:11 2005] [error] PHP Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) in /home/pocketpc/public_html/forum/db/mysql4.php on line 48
[Mon Feb 14 04:31:05 2005] [error] PHP Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 331
[Mon Feb 14 04:31:05 2005] [error] PHP Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/pocketpc/public_html/forum/db/mysql4.php on line 330
[Mon Feb 14 04:31:05 2005] [error] PHP Warning: mysql_connect(): Lost connection to MySQL server during query in /home/pocketpc/public_html/forum/db/mysql4.php on line 48

Are those indications that my forum was disabled, was somebody trying to hack my forum or is there some other explanation?

The forum is still working for me after the upgrade, but would somebody verify that other users can see it? It's at http://forum.svpocketpc.com if you'd care to check it.

Thanks,
Steve

TCH-Thomas

Feb 14 2005, 07:36 AM

I can´t answer the other questions but this one...
I can see your forum and it says 2.0.11, so I guess you are safe.

TCH-Bruce

Feb 14 2005, 08:32 AM

Hi Steve, I can see your forum fine and it is updated.

You didn't receive the email before you did because it was only sent last week.

The security bulletin was posted on the forums in November. Some people upgraded when it was posted. phpBB boards came under attack to this vulnerability early last week. TCH made a decision to send the email and start disabling the non-secure phpBB forums to protect the servers if updates were not applied.

Don't know what the error messages mean. Are you still getting them?

Prel

Feb 17 2005, 10:01 PM

Hi,

In PHPNuke 7.6 the PHPBB is 2.0.10

As I make upgrade ?

Thank´s

TCH-MikeJ

Feb 18 2005, 02:19 AM

QUOTE(paulo @ Feb 17 2005, 09:01 PM)

Hi,

In PHPNuke 7.6 the PHPBB is 2.0.10

As I make upgrade ?

I'm not an expert on PHP-Nuke, but a quick search shows a BBtoNuke 2.0.11 download at nukeresources.com and some instruction on how to do the upgrade.

Prel

Mar 3 2005, 07:51 PM

Hello Mike,

I´m have success in upgrade phpBB 2.0.10 for phpBB 2.0.11 .

Now, alll my sites in PHPnuke now Powered by phpBB 2.0.11 © 2001 phpBB Group

It was easy..

Thank´s for you attencion.

TCH-Bruce

Mar 3 2005, 08:11 PM

Paulo, there have been two more patches released since this. The latest version is 2.0.13.

Check here (2.0.12) and here (2.0.13) for more info.

erisande

Apr 3 2005, 10:01 AM

QUOTE(TCH-Bruce @ Mar 3 2005, 07:11 PM)

Paulo, there have been two more patches released since this. The latest version is 2.0.13.

Check here (2.0.12) and here (2.0.13) for more info.

Should we manually upgrade to this new version, or is TCH going to spooprt the upgrade through the control panel?

TCH-Bruce

Apr 3 2005, 10:08 AM

Yes you will have to upgrade manually. TCH does not control when cPanel will add the latest patch.

erisande

Apr 3 2005, 01:18 PM

QUOTE(TCH-Bruce @ Apr 3 2005, 09:08 AM)

Yes you will have to upgrade manually. TCH does not control when cPanel will add the latest patch.

Thanks for the quick response! I will look into it and see how to upgrade.

tomowa

Apr 3 2005, 02:59 PM

Hi erisande,

We had a bit of disscusion about upgrade to .13 here, if it is any help to you http://www.totalchoicehosting.com/forums/i...81&#entry122781

HTH, Tom

erisande

Apr 4 2005, 12:31 AM

Looking into it, thanks!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.