Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)

[Robert Hetzler <mods () xore ca>]

In-Reply-To: <20041118044742.16170.qmail () www securityfocus com>

A fix for this was submitted to phpbb.com yesterday afternoon, and was posted to the site around 7pm PST
http://www.phpbb.com/phpBB/viewtopic.php?p=1319332#1319332

The download for the new vesion can be found here:
http://www.phpbb.com/phpBB/viewtopic.php?t=94055

This problem only affects Cash Mod / phpBB installations on servers running PHP with register_globals set to ON. By 
default, php installations of 4.2 or greater have this set to OFF because of the (now obvious) security implications. 
People should make sure that their register_globals directive is OFF, because there are many other open softwares that 
suffer similar security threats.

The supposed "fix" that the submitter of this bug has provided is amusing, as it was obviously never tested: Swapping 
code around will have "unforseen" implications, like making the phpBB adminCP inaccessible. Congratulations on 
succeeding to create such an effective solution to the problem.

I would like to extend my lack of thanks to the person who posted this here for failing to contact the author (myself) 
regarding this security flaw before posting it (It is my suspicion that the submitter is not the original discoverer of 
the bug), and would like to extend my real thanks to the person who was kind enough to forward this to the phpBB staff 
who contacted me about it.

The problem was fixed within hours of my finding out about it, and was posted to phpBB.com within half a day, half a 
day before this post (as seen below) was submitted here.