Please update your phpBB

For any non-pos posts you wish to post.

Moderators:daleadmin, Alan, Andrew

Post Reply
Chris
Posts:4
Joined:Thu Mar 17, 2005 5:28 pm
Please update your phpBB

Post by Chris » Thu Mar 17, 2005 5:45 pm

There is a serious exploit in all phpBB versions 2.0.11 and under. You NEED to upgrade, you can see that by how the title has been changed.

NOTE: i dont intend to harm your forum, i did that for EXAMPLE ONLY, but there are others who might want to exploit your terrably outdated phpBB, you have been warned.

PS Great forum.

PPS: cmputerman (techhut) did not have ANYTHING to do with this.
Last edited by Chris on Tue Mar 22, 2005 4:33 pm, edited 1 time in total.
I run a Mobile Athlon 64 3000+ in a Desktop PC with 1gb of ram and an 80GB hdd running WinXP x64 Beta

User avatar
ChrisKraus
Forum Regular
Posts:351
Joined:Wed Dec 31, 2003 11:10 am
Location:Dedham, MA - U.S.A.

Post by ChrisKraus » Fri Mar 18, 2005 3:52 pm

How'd you do that?
- Chris :)
- Chris
Christopher Kraus

cmputerman
Forum Regular
Posts:29
Joined:Fri Jan 30, 2004 6:54 pm
Location:USA!
Contact:

Post by cmputerman » Fri Mar 18, 2005 4:13 pm

ChrisKraus wrote:How'd you do that?
- Chris :)
He used an exploit that was fixed in phpbb version 2.0.13

All I know is that there is an additional "=" you need to put in, or you can edit a cookie with a string that works with the hack, wan walla instant Admin access.
Hello! Here is the specs for my comptuer i recently built for myself

AMD Ath64 Processor 2800+ Overclocked to 2.2 GHZ, 80GB HDD, 768MB RAM, Runs Windows and Linux!

Chris-

Post by Chris- » Sun Mar 20, 2005 5:35 pm

phpBB sets a cookie when you login, i can alter the cookie to be able to login as anyone by the user id.

Yes, the exploit is fixed just by adding an = in the right spot.

Guest

Post by Guest » Sun Mar 20, 2005 6:05 pm

I don't think it is updated yet :? That or the version number will not change...

Guest

Post by Guest » Sun Mar 20, 2005 6:07 pm

Guess who? It is me! Cmputerman! Teehee wrote:I don't think it is updated yet :? That or the version number will not change...
That was me....

User avatar
ChrisKraus
Forum Regular
Posts:351
Joined:Wed Dec 31, 2003 11:10 am
Location:Dedham, MA - U.S.A.

Post by ChrisKraus » Mon Mar 21, 2005 3:45 pm

Chris- wrote:phpBB sets a cookie when you login, i can alter the cookie to be able to login as anyone by the user id.

Yes, the exploit is fixed just by adding an = in the right spot.
<HR>
How?
- Chris
Christopher Kraus

cmputer_man

Post by cmputer_man » Mon Mar 21, 2005 4:48 pm

ChrisKraus wrote:
Chris- wrote:phpBB sets a cookie when you login, i can alter the cookie to be able to login as anyone by the user id.

Yes, the exploit is fixed just by adding an = in the right spot.
<HR>
How?

Well, IDK exactly where, but Chris might... But it puts that = sign back in with the 2.0.13 update.

Chris
Posts:4
Joined:Thu Mar 17, 2005 5:28 pm

Post by Chris » Tue Mar 22, 2005 4:23 pm

The best route for the admin to do, update using the phpBB changed files only package, as i can see this forum hasnt been modded.

For those who really wanna know, here is how to fix the exploit i used:

in sessions.php:

Code: Select all

// We have to login automagically
				if( $sessiondata['autologinid'] == $auto_login_key )
				{
					// autologinid matches password
					$login = 1;
					$enable_autologin = 1;
				}
it should be

Code: Select all

// We have to login automagically
				if( $sessiondata['autologinid'] === $auto_login_key )
				{
					// autologinid matches password
					$login = 1;
					$enable_autologin = 1;
				}
Now that only fixes one exploit, theres another in viewtopic.php i believe.
I run a Mobile Athlon 64 3000+ in a Desktop PC with 1gb of ram and an 80GB hdd running WinXP x64 Beta

FormicaFun
Forum Regular
Posts:71
Joined:Wed Mar 23, 2005 8:48 pm
Location:Charlotte, NC
Contact:

About the new Title for the forum...

Post by FormicaFun » Wed Mar 23, 2005 9:25 pm

I'm really glad that you were so bored and figured out a way to hack your way into the forum....and it's shocking that there's such loose security on a forum that discusses freeware. I don't think I've slept in a over a hour in worry that someone may hack back into the forum and change the title back to what it was. After all, "Please update your phpBB" is such an appropriate title for the "Dale Harris Educational Software Forum". After all, it's been how long now? You've proven your point...and we're all so jealous over how cool you are.

So...if it's not TOO MUCH TROUBLE could we find it in our little hearts to effect a change back to where we once were? I'd really appreciate it.

-Ryan :-)

Chris
Posts:4
Joined:Thu Mar 17, 2005 5:28 pm

Re: About the new Title for the forum...

Post by Chris » Wed Mar 30, 2005 1:45 pm

FormicaFun wrote:I'm really glad that you were so bored and figured out a way to hack your way into the forum....and it's shocking that there's such loose security on a forum that discusses freeware. I don't think I've slept in a over a hour in worry that someone may hack back into the forum and change the title back to what it was. After all, "Please update your phpBB" is such an appropriate title for the "Dale Harris Educational Software Forum". After all, it's been how long now? You've proven your point...and we're all so jealous over how cool you are.

So...if it's not TOO MUCH TROUBLE could we find it in our little hearts to effect a change back to where we once were? I'd really appreciate it.

-Ryan :-)
i would of thought an admin would be on by now and do something, anyway, as soon as i can get a cookie, ill change it back :P
I run a Mobile Athlon 64 3000+ in a Desktop PC with 1gb of ram and an 80GB hdd running WinXP x64 Beta

User avatar
Andrew
Site Administrator
Posts:822
Joined:Sun Dec 28, 2003 3:40 pm
Location:New Zealand

Post by Andrew » Thu Mar 31, 2005 8:48 am

The only person who can make such an upgrade is the owner of the site, Jonathan. Last Dale and I were aware he is holding down several jobs and as such hasn't been able to make it to the forum or Chat.

I am sure when he gets a chance he will upgrade our copy, for those of you who are intending on finding the exploit and using it, may I remind you that by doing so would likely be a breach of the terms and services for this site.

I hope not to see any further foolishness by any of our members until such time as an upgrade can be applied, we aware of the fact we need to upgrade, please do not draw further attention to the fact.
Image
DHPOS Veteran (from v3.46, July 2002)

Post Reply

Who is online

Users browsing this forum: No registered users and 13 guests