phpBB Group announces the release of phpBB 2.0.16. This release addresses some bugfixes and one critical security issue. To fix this, please apply the following change: In viewtopic.php Find: Code: $message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . str_replace('\\', '\\\\', $highlight_match) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1)); Replace with: Code: $message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . str_replace('\\', '\\\\', addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1)); __ What has changed in this release? The changelog (contained within this release) is as follows: * Fixed critical issue with highlighting - Discovered and fix provided by Ron van Daal * Url descriptions able to be wrapped over more than one line again * Fixed bug with eAccelerator in admin_ug_auth.php * Check new_forum_id for existence in modcp.php - alessnet * Prevent uploading avatars with no dimensions - Xpert * Fixed bug in usercp_register.php, forcing avatar file removal without updating avatar informations within the database - HenkPoley * Fixed bug in admin re-authentication redirect for servers not having index.php as one of their default files set ______ web-apps, pls bump comments on a possible impact are also welcome :-)
(In reply to comment #0) > web-apps, pls bump > comments on a possible impact are also welcome :-) looks serious: http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-06/0261.html "Description: Due to a bug in the phpBB highlighting code it's possible to inject PHP-code into the running script. E.g. It's possible to run system commands if the PHP interpreter allows system() and simular functions. This is actually based on an old bug which was improperly fixed in phpBB 2.0.11."
Exploit is out. Please bump !
Bumped.
ppc: please test and mark stable asap
Instead of stable keywording, can we just drop ppc from all phpbb-versions and set it ~ppc? I guess, there is no user who runs phpbb on ppc. And we are sick of testing this app with every security hole (and it seems phpbb is written as a large security hole...).
An alternative solution would be to security.mask it because it's a continuing pain in the ass. After all, it's a stable security hole. In all cases we should issue a GLSA for this fix, and to warn people that we won't issue more for phpBB, that is now security.masked.
I would add to the GLSA something like: "Due to continuing security problems, phpBB has been masked in the Portage repository and no further announcement will be made on phpBB security fixes. phpBB users that knowingly want to continue to use the phpBB Gentoo package should add the package name to package.unmask and are advised to follow phpBB security advisories directly from www.phpbb.com."
phpBB has been masked due to its constant security issues.
I guess this is ready for GLSA.
This is GLSA 200507-03, thanks everyone.
