Must for webmaster:security exploit.

[avanluxxia]

One week launch, a joke fun forum site http://www.alienfake.com/index.php has been badly defaced.

[Gambit37]

Moved to the relevant forum.

We have a later version of phpBB which (may) overcome this exploit. Don't worry!

[Florent]

Well as I said before, it seems that even 2.0.13 has a hole, as proven by the hacking of the French phpBB support forum http://www.phpbb-fr.com. See http://forums.phpbb-fr.com/viewtopic_67346.html for details.

[Gambit37]

Care to translate? I speak about five French words.

[Florent]

Well it's really just technical details about how their database was only partially restored etc.

Main thing is, they are saying that there is a hole in 2.0.13, and they are offering the following fix :

Code: Select all

#
#-----[ OPEN ]-----
#
includes/sessions.php

#
#-----[ FIND ]-----
# Line 93
     $userdata['user_id'] = ANONYMOUS;

#
#-----[ ADD AFTER ] -----
#
     $userdata['user_level'] = USER;

#
#-----[ FIND ]-----
# Ligne 101
     $userdata['user_id'] = ANONYMOUS;

#
#-----[ ADD AFTER ] -----
#
     $userdata['user_level'] = USER;

#-----[ END ]----

I find it weird that phpBB hasn't officially adressed this yet.

[Gambit37]

Thanks, but I'd like to know what the hole is that this is supposed to fix! I'm not going to arbitrarily stick some code into our forum software if I don't know what it does.

[Florent]

I can understand that for sure !

[cowsmanaut]

I'm guessing from the code presented to FIX it .. that anonymous users logging in are being seen as admin? or can be made to appear as admin as the user setting is not set by default?

moo

Edit:

just read through it.. sounds like he's saying someone got root access to their server and wreaked havoc. Then corrupted their database from there on.. Not sure how PHPBB could give someone access to the webserver..