Must for webmaster:security exploit.
Forum rules
Please read the Forum rules and policies before posting.
Please read the Forum rules and policies before posting.
-
- Neophyte
- Posts: 1
- Joined: Fri Apr 01, 2005 7:28 am
- Location: United Kingdom
Must for webmaster:security exploit.
One week launch, a joke fun forum site http://www.alienfake.com/index.php has been badly defaced.
Well as I said before, it seems that even 2.0.13 has a hole, as proven by the hacking of the French phpBB support forum http://www.phpbb-fr.com. See http://forums.phpbb-fr.com/viewtopic_67346.html for details.
Well it's really just technical details about how their database was only partially restored etc.
Main thing is, they are saying that there is a hole in 2.0.13, and they are offering the following fix :
I find it weird that phpBB hasn't officially adressed this yet.
Main thing is, they are saying that there is a hole in 2.0.13, and they are offering the following fix :
Code: Select all
#
#-----[ OPEN ]-----
#
includes/sessions.php
#
#-----[ FIND ]-----
# Line 93
$userdata['user_id'] = ANONYMOUS;
#
#-----[ ADD AFTER ] -----
#
$userdata['user_level'] = USER;
#
#-----[ FIND ]-----
# Ligne 101
$userdata['user_id'] = ANONYMOUS;
#
#-----[ ADD AFTER ] -----
#
$userdata['user_level'] = USER;
#-----[ END ]----
- cowsmanaut
- Moo Master
- Posts: 4378
- Joined: Fri Jun 30, 2000 12:53 am
- Location: canada
I'm guessing from the code presented to FIX it .. that anonymous users logging in are being seen as admin? or can be made to appear as admin as the user setting is not set by default?
moo
Edit:
just read through it.. sounds like he's saying someone got root access to their server and wreaked havoc. Then corrupted their database from there on.. Not sure how PHPBB could give someone access to the webserver..
moo
Edit:
just read through it.. sounds like he's saying someone got root access to their server and wreaked havoc. Then corrupted their database from there on.. Not sure how PHPBB could give someone access to the webserver..