here's the original posting from bugtraq:
"SQL Injection, allowing people to minipulate the query into pulling data they should not previously be able too obtain. (Such as passwords)
Arbituary EXEC allows you, if you can get on to a new line, to execute your own PHP, which can be fatal."
that's the response of the phpbb-team on their msg-board:
Steps to Reproduce:
Should we issue the GLSA as critical fix as-is ? Or wait for upstream ?
We have a simple workaround and no ETA of a fixed version with new features, so we could issue a temp GLSA.
The exact nature of the vulnerability is not currently known :
- howdark posts confusing SQLinjection+PHPexec claims in highlighting code
- Phpbb denies it can be exploited
- Phpbb recieves more information from unnamed third-party
- Phpbb posts fix without telling what the real impact is. Obviously there is some SQL injection possible, but PHP exec is not confirmed... afaict
I don't think we should rush that out without more information. Maybe a forum post is better than a GLSA in absence of more information.
2.0.11 is out, critical fix in
web-apps, please package this asap :)
*** Bug 71814 has been marked as a duplicate of this bug. ***
Ccing tigger for a fix
.11 is now in portage ~*
ppc, please mark .11 stable :)
ppc please test and mark stable ASAP
Following post of the exploit, impact is much more clear. This is a remote exec alright, and it's quite easy to use.
This should really be sent ASAP. If ppc cannot mark stable, I think we'll issue the GLSA without waiting.
kurt seems to have added it to cvs...
we didn't do additional tests as we assume kurt did them(?)
conclusion stable on ppc, responsable= kurt lieber
Is it really fixed?!
Three flaws can be exploited :
- The highlight flaw (fixed in PHPBB 2.0.11) [ Santy.Worm ]
- The unserialize flaw (fixed in PHP 4.3.10) [ no worm yet ? ]
- Programming errors in your own PHP scripts (heh... no fix) [ PhpInclude.Worm ]
People with PHPBB 2.0.11 can still get infected by the other two.