Page 1 of 1
Must for webmaster:security exploit.
Posted: Sat Apr 02, 2005 12:55 pm
by avanluxxia
One week launch, a joke fun forum site
http://www.alienfake.com/index.php has been badly defaced.
Posted: Sat Apr 02, 2005 1:21 pm
by Gambit37
Moved to the relevant forum.
We have a later version of phpBB which (may) overcome this exploit. Don't worry!
Posted: Mon Apr 04, 2005 8:21 pm
by Florent
Well as I said before, it seems that even 2.0.13 has a hole, as proven by the hacking of the French phpBB support forum
http://www.phpbb-fr.com. See
http://forums.phpbb-fr.com/viewtopic_67346.html for details.
Posted: Mon Apr 04, 2005 9:09 pm
by Gambit37
Care to translate? I speak about five French words.
Posted: Mon Apr 04, 2005 9:18 pm
by Florent
Well it's really just technical details about how their database was only partially restored etc.
Main thing is, they are saying that there is a hole in 2.0.13, and they are offering the following fix :
Code: Select all
#
#-----[ OPEN ]-----
#
includes/sessions.php
#
#-----[ FIND ]-----
# Line 93
$userdata['user_id'] = ANONYMOUS;
#
#-----[ ADD AFTER ] -----
#
$userdata['user_level'] = USER;
#
#-----[ FIND ]-----
# Ligne 101
$userdata['user_id'] = ANONYMOUS;
#
#-----[ ADD AFTER ] -----
#
$userdata['user_level'] = USER;
#-----[ END ]----
I find it weird that phpBB hasn't officially adressed this yet.
Posted: Mon Apr 04, 2005 9:37 pm
by Gambit37
Thanks, but I'd like to know what the hole is that this is supposed to fix! I'm not going to arbitrarily stick some code into our forum software if I don't know what it does.
Posted: Mon Apr 04, 2005 11:53 pm
by Florent
I can understand that for sure !
Posted: Tue Apr 05, 2005 4:59 am
by cowsmanaut
I'm guessing from the code presented to FIX it .. that anonymous users logging in are being seen as admin? or can be made to appear as admin as the user setting is not set by default?
moo
Edit:
just read through it.. sounds like he's saying someone got root access to their server and wreaked havoc. Then corrupted their database from there on.. Not sure how PHPBB could give someone access to the webserver..
