http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
i have personally tried to hack into my own server and it taken 5 mins to own myself.
So I highly recommend ALL hosting provider to check theirselves against this.
A easy way of doing it will be first updatedb
then locate viewtopic.php and then do a manual patching.
----------------
Sam Tam
Indeed, I've been testing it too.. however if you don't allow access to exec, system, passthru, or backticks etc it'll obviously take some of the immediate damage away. (Bar the avatar exploit, and uid one).
Chris
Christopher Marks
chris@reflex.net.uk
Reflex Internet
Company No. 05527976
Any views expressed are my own, and not those of my company.
Err your still testing a 6 month old bug?
Chris Burton Othello Technology Systems Ltd AS29527 Company#03894981 VAT#GB-782561410 Tel:0871 277 6875
consultancy domains email forwarding resellers ecommerce colo rackspace ip transit secondary mx/dns dedicated servers backup/DR
* OthelloHosts.net Linux and Windows High-Availability Professional Email / Web / Secure Hosting
* OthelloVPS.net Managed Xen Enterprise Virtual Private Servers and Dedicated Servers
# Currently buying web hosts and domain resellers - www.hostacquisitions.co.uk
Views expressed in this post are my own and not Othello Technology Systems Ltd.
When asked to, yes
Christopher Marks
chris@reflex.net.uk
Reflex Internet
Company No. 05527976
Any views expressed are my own, and not those of my company.
Hasn't this been patched, in the last 3 releases of phpBB?
James Windsor // Chocks Away!
(url-removed: need 20 posts)
I believe it has been patched. You can join phpbb mailing list for the lates updates.
http://www.phpbb.com/support/
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote