Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 97278

Summary: www-apps/phpBB: 2.0.16 fixes security issue
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
URL: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011
Whiteboard: B1 [glsa] vorlon
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2005-06-28 01:16:31 UTC
phpBB Group announces the release of phpBB 2.0.16. This release addresses some bugfixes and one critical security issue. To fix this, please apply the following change: 
In viewtopic.php

Find:
Code:

$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . str_replace('\\', '\\\\', $highlight_match) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));


Replace with:
Code:

$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . str_replace('\\', '\\\\', addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

__

What has changed in this release?

The changelog (contained within this release) is as follows:


    * Fixed critical issue with highlighting - Discovered and fix provided by Ron van Daal
    * Url descriptions able to be wrapped over more than one line again
    * Fixed bug with eAccelerator in admin_ug_auth.php
    * Check new_forum_id for existence in modcp.php - alessnet
    * Prevent uploading avatars with no dimensions - Xpert
    * Fixed bug in usercp_register.php, forcing avatar file removal without updating avatar informations within the database - HenkPoley
    * Fixed bug in admin re-authentication redirect for servers not having index.php as one of their default files set

______

web-apps, pls bump
comments on a possible impact are also welcome :-)
Comment 1 NightTwix 2005-06-29 06:15:27 UTC
(In reply to comment #0)

> web-apps, pls bump
> comments on a possible impact are also welcome :-)

looks serious: 

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-06/0261.html

"Description: 
Due to a bug in the phpBB highlighting code it's possible to inject 
PHP-code into the running script. E.g. It's possible to run system 
commands if the PHP interpreter allows system() and simular functions. 
This is actually based on an old bug which was improperly fixed in 
phpBB 2.0.11."
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-30 05:28:58 UTC
Exploit is out. Please bump !
Comment 3 Renat Lumpau (RETIRED) gentoo-dev 2005-06-30 06:10:10 UTC
Bumped.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-30 06:58:49 UTC
ppc: please test and mark stable asap
Comment 5 Lars Weiler (RETIRED) gentoo-dev 2005-06-30 10:32:46 UTC
Instead of stable keywording, can we just drop ppc from all phpbb-versions and
set it ~ppc?  I guess, there is no user who runs phpbb on ppc.  And we are sick
of testing this app with every security hole (and it seems phpbb is written as a
large security hole...).
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-30 10:58:43 UTC
An alternative solution would be to security.mask it because it's a continuing
pain in the ass. After all, it's a stable security hole.

In all cases we should issue a GLSA for this fix, and to warn people that we
won't issue more for phpBB, that is now security.masked.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-06-30 11:03:01 UTC
I would add to the GLSA something like:

"Due to continuing security problems, phpBB has been masked in the Portage
repository and no further announcement will be made on phpBB security fixes.
phpBB users that knowingly want to continue to use the phpBB Gentoo package
should add the package name to package.unmask and are advised to follow phpBB
security advisories directly from www.phpbb.com."
Comment 8 Aaron Walker (RETIRED) gentoo-dev 2005-06-30 11:29:42 UTC
phpBB has been masked due to its constant security issues.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-07-01 09:56:21 UTC
I guess this is ready for GLSA.
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-04 06:46:56 UTC
This is GLSA 200507-03,

thanks everyone.