phpBB Security Issue

[Leo Ghost]

Hi everyone,

We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn't noticed during testing and has only surfaced a week after the release of 3.0.7.

We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise - a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it is of critical importance to update to 3.0.7-PL1. Otherwise, it is possible for users to bypass permission settings under the following circumstances:

- Feeds are enabled
- Any of the posts or topics feeds are enabled
- The unauthorised user - or one of the groups they are a member of - has forum permissions set on a private forum
- If you have excluded a forum from the list of forums that provide feeds, it is unaffected

The fix for the issue is a single line change inside of feed.php, line 525 has changed from:

$forum_ids = array_keys($auth->acl_getf('f_read'));

to:

$forum_ids = array_keys($auth->acl_getf('f_read', true));

There were no other changes, in particular neither style nor language changes.

The original announcement is located at:
http://www.phpbb.com/community/viewtopic.php?f=14&t=

*Installation instructions*

A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it. You can find a list of requirements on our Downloads page:
http://www.phpbb.com/support/documents. ... =3#require

*Security*

If you find any security issues please report them to our security tracker:
http://www.phpbb.com/security/

*Available packages*

If you experience problems with the automatic update (white screens, timeouts, etc.) we recommend using the "changed files only" or "patch" method for updating.

Full Package: Full phpBB 3 source code and english language files.

Automatic Update Package: Update package for the automatic updater, contains changes from previous release to this release.

Changed Files Only: Complete files, but only those that were changed since previous releases of phpBB 3. This archive contains changed files for every previous release.

Patch Files: This file contains diffs against the previous phpBB 3 release, which can be applied with the patch utility.

Select the package most suitable for you. We recommend the following methods depending on your situation:

- For new installations you should use the Full Package
- For updates of boards without modifications you can use the Automatic Update Package (guided update) or the Changed Files Only package (manual update).
- For updates of boards with modifications you should use the Automatic Update Package. If you are confident with patch files and patching you can use the Patch Files Package.
- Style Authors and Translators may use the Code Changes Package to update their styles or language packs.
- International Support Teams may use the Patch Package in conjunction with the Code Changes to better support users with problematic conflicts during their update process or to help them update code sections.
- If you are a hoster/provider, you may want to use the Patch Files Package to update all of your client installations.

*Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!*

*Download Locations*

The download is of course available on our downloads page:
http://www.phpbb.com/downloads/

Our release archive provides all packages we build. If you do not find your desired package you can probably find it in the release archive.
http://www.phpbb.com/files/archive/

These are the files with their md5 sums:

phpBB-3.0.7-PL1.zip
md5sum: 1125b615e13a5bb8787afab58a27c627
phpBB-3.0.7-PL1.tar.bz2
md5sum: 67570654462c442c29080007c0af1e1b
phpBB-3.0.7-PL1-patch.zip
md5sum: 44d163c6f945207f666b4b8ecbf179b8
phpBB-3.0.7-PL1-patch.tar.bz2
md5sum: 4d611e1160599835ff48fc6454bf85e0
phpBB-3.0.7-PL1-files.zip
md5sum: 579f5685cc37c69dd6ce023b46ce2593
phpBB-3.0.7-PL1-files.tar.bz2
md5sum: 2779984411598d919a6a1e6adc35894d
phpBB-3.0.7_to_3.0.7-PL1.zip
md5sum: e135fd3b43c17c0bdc69f3fc246e6524
phpBB-3.0.7_to_3.0.7-PL1.tar.bz2
md5sum: 589d21934c14a6517583316659f0225f
phpBB-3.0.6_to_3.0.7-PL1.zip
md5sum: b93e31c7930ace5af89d9804b55d8c66
phpBB-3.0.6_to_3.0.7-PL1.tar.bz2
md5sum: cf9b3a42872be8afcddb42648a390861

*Download & Documentation*

phpBB Downloads - http://www.phpbb.com/downloads/
phpBB Projects page @ ohloh - http://www.ohloh.net/projects/phpbb
phpBB 3 Documentation - http://www.phpbb.com/support/documentation/3.0/
phpBB 3 support forum - http://www.phpbb.com/phpBB/viewforum.php?f=46
phpBB 3 bug tracker - http://www.phpbb.com/bugs/phpbb3/
phpBB Code Forge - http://code.phpbb.com/
phpBB Code Wiki - http://wiki.phpbb.com/

Let this remind us all that every script can have flaws, and that no script or software can ever be 100% secure. It is recommended to update asap.

 

[Tsuna]

Just updated my board. 😉

 

[_20_]

When has phpbb not had security issues?

 

[Gimgak]

When has phpbb not had security issues?

When has any script not had security issues?

Helpful post.

 

[_20_]

When has phpbb not had security issues?

When has any script not had security issues?

Helpful post.

It's just like, every time I see someone posting about forum software security issues it's always phpBB. lol

 

[Gimgak]

It's because it's used a lot 😉

Other softwares aren't immune from exploits, I remember a giant exploit in mybb a while ago that let you access the admin account through cookies - now that's a pretty big security risk.

 

[CyberFreak]

It's just like, every time I see someone posting about forum software security issues it's always phpBB. lol

Yeah, maybe phpBB2 but not phpBB3. Have a look how many security problems there has been in phpBB3 and then compare it to some other softwares and then come to a decision. Alot of people live on the fact that phpBB2 was pretty crap securitywise and think phpBB3 is the same which it isn't.

 

[Justin]

Wow, great tip, thanks.

All scripts have their flaws.

 

[Leo Ghost]

@Fowler
It would be common hope that with time less exploits would be found, and thus far that's proven correct woth phpBB3 compared to phpBB2. That's not to say, however, that at some point a series of exploits may not be discovered in phpBB3 rendering it less secure than phpBB2 was. There are a lot of "private" groups out there who know a lot about exploiting. Just because an exploit isn't posted on milw0rm doesn't mean it's not there.

As has been said before, all scripts face exploits and at any time as technology constantly changes, new ones may be discovered.

 

[Spawn]

I'd rather hear that something went wrong in a program than hear that everything is perfect. Least you know someone is on top of it.

 

[CyberFreak]

@Fowler
It would be common hope that with time less exploits would be found, and thus far that's proven correct woth phpBB3 compared to phpBB2. That's not to say, however, that at some point a series of exploits may not be discovered in phpBB3 rendering it less secure than phpBB2 was. There are a lot of "private" groups out there who know a lot about exploiting. Just because an exploit isn't posted on milw0rm doesn't mean it's not there.

As has been said before, all scripts face exploits and at any time as technology constantly changes, new ones may be discovered.

I never said it will never and never had any security issues but just if you compare the known issues between softwares you will see phpBB3 isn't as bad as people claim. Whenever people think of phpBB they always think back to phpBB2 and the santy worm and think the are still that bad as so far phpBB3 has been nothing like that.

 

[Expired Account]

Santy worm wasn't phpBB's fault I believe. It was a php problem and also phpBB2 had an update just in time before being attacked from the Santy worm.

 

[CyberFreak]

http://news.bbc.co.uk/1/hi/technology/4117711.stm
"The malicious program exploits a vulnerability in the widely used phpBB software."

It was an issue with phpBB2. A release was released before the Santy Worm started by the looks of it ( http://www.phpbb.com/community/viewtopi ... 4&t=244451 ) but because so many people were using out of date installations the problem seemed alot more serious and that was what gave phpBB the bad reputation that people won't forget.

 

[froggyboy604]

Thanks, I go update my board with phpBB3 now.

 

[horseclick]

updating my board, thanks

 

[Gimgak]

Thanks, I go update my board with phpBB3 now.

If you have the latest phpbb2 installed that wouldn't be a problem since it wouldn't be affected by that anyway.

Not to say that the latest (2.0.23?) may not be safe either, would have to check that.

 

[CyberFreak]

phpBB2 is no longer supported and there no doubt is alot of issues in that. phpBB2 was not built with security in mind unlike phpBB3 was.

 

[froggyboy604]

Thanks, I go update my board with phpBB3 now.

If you have the latest phpbb2 installed that wouldn't be a problem since it wouldn't be affected by that anyway.

Not to say that the latest (2.0.23?) may not be safe either, would have to check that.

I plan to update my forum in my Sig to phpBB3 someday. But, I did update my very inactive forum on my other site http://johnsonyip.com/phpbb3/ to the latest version of phpBB3.