Please update your phpBB
Moderators:daleadmin, Alan, Andrew
There is a serious exploit in all phpBB versions 2.0.11 and under. You NEED to upgrade, you can see that by how the title has been changed.
NOTE: i dont intend to harm your forum, i did that for EXAMPLE ONLY, but there are others who might want to exploit your terrably outdated phpBB, you have been warned.
PS Great forum.
PPS: cmputerman (techhut) did not have ANYTHING to do with this.
NOTE: i dont intend to harm your forum, i did that for EXAMPLE ONLY, but there are others who might want to exploit your terrably outdated phpBB, you have been warned.
PS Great forum.
PPS: cmputerman (techhut) did not have ANYTHING to do with this.
Last edited by Chris on Tue Mar 22, 2005 4:33 pm, edited 1 time in total.
I run a Mobile Athlon 64 3000+ in a Desktop PC with 1gb of ram and an 80GB hdd running WinXP x64 Beta
- ChrisKraus
- Forum Regular
- Posts:351
- Joined:Wed Dec 31, 2003 11:10 am
- Location:Dedham, MA - U.S.A.
-
- Forum Regular
- Posts:29
- Joined:Fri Jan 30, 2004 6:54 pm
- Location:USA!
- Contact:
He used an exploit that was fixed in phpbb version 2.0.13ChrisKraus wrote:How'd you do that?
- Chris
All I know is that there is an additional "=" you need to put in, or you can edit a cookie with a string that works with the hack, wan walla instant Admin access.
Hello! Here is the specs for my comptuer i recently built for myself
AMD Ath64 Processor 2800+ Overclocked to 2.2 GHZ, 80GB HDD, 768MB RAM, Runs Windows and Linux!
AMD Ath64 Processor 2800+ Overclocked to 2.2 GHZ, 80GB HDD, 768MB RAM, Runs Windows and Linux!
- ChrisKraus
- Forum Regular
- Posts:351
- Joined:Wed Dec 31, 2003 11:10 am
- Location:Dedham, MA - U.S.A.
ChrisKraus wrote:<HR>Chris- wrote:phpBB sets a cookie when you login, i can alter the cookie to be able to login as anyone by the user id.
Yes, the exploit is fixed just by adding an = in the right spot.
How?
Well, IDK exactly where, but Chris might... But it puts that = sign back in with the 2.0.13 update.
The best route for the admin to do, update using the phpBB changed files only package, as i can see this forum hasnt been modded.
For those who really wanna know, here is how to fix the exploit i used:
in sessions.php:
it should be
Now that only fixes one exploit, theres another in viewtopic.php i believe.
For those who really wanna know, here is how to fix the exploit i used:
in sessions.php:
Code: Select all
// We have to login automagically
if( $sessiondata['autologinid'] == $auto_login_key )
{
// autologinid matches password
$login = 1;
$enable_autologin = 1;
}
Code: Select all
// We have to login automagically
if( $sessiondata['autologinid'] === $auto_login_key )
{
// autologinid matches password
$login = 1;
$enable_autologin = 1;
}
I run a Mobile Athlon 64 3000+ in a Desktop PC with 1gb of ram and an 80GB hdd running WinXP x64 Beta
-
- Forum Regular
- Posts:71
- Joined:Wed Mar 23, 2005 8:48 pm
- Location:Charlotte, NC
- Contact:
About the new Title for the forum...
I'm really glad that you were so bored and figured out a way to hack your way into the forum....and it's shocking that there's such loose security on a forum that discusses freeware. I don't think I've slept in a over a hour in worry that someone may hack back into the forum and change the title back to what it was. After all, "Please update your phpBB" is such an appropriate title for the "Dale Harris Educational Software Forum". After all, it's been how long now? You've proven your point...and we're all so jealous over how cool you are.
So...if it's not TOO MUCH TROUBLE could we find it in our little hearts to effect a change back to where we once were? I'd really appreciate it.
-Ryan :-)
So...if it's not TOO MUCH TROUBLE could we find it in our little hearts to effect a change back to where we once were? I'd really appreciate it.
-Ryan :-)
Re: About the new Title for the forum...
i would of thought an admin would be on by now and do something, anyway, as soon as i can get a cookie, ill change it backFormicaFun wrote:I'm really glad that you were so bored and figured out a way to hack your way into the forum....and it's shocking that there's such loose security on a forum that discusses freeware. I don't think I've slept in a over a hour in worry that someone may hack back into the forum and change the title back to what it was. After all, "Please update your phpBB" is such an appropriate title for the "Dale Harris Educational Software Forum". After all, it's been how long now? You've proven your point...and we're all so jealous over how cool you are.
So...if it's not TOO MUCH TROUBLE could we find it in our little hearts to effect a change back to where we once were? I'd really appreciate it.
-Ryan :-)
I run a Mobile Athlon 64 3000+ in a Desktop PC with 1gb of ram and an 80GB hdd running WinXP x64 Beta
The only person who can make such an upgrade is the owner of the site, Jonathan. Last Dale and I were aware he is holding down several jobs and as such hasn't been able to make it to the forum or Chat.
I am sure when he gets a chance he will upgrade our copy, for those of you who are intending on finding the exploit and using it, may I remind you that by doing so would likely be a breach of the terms and services for this site.
I hope not to see any further foolishness by any of our members until such time as an upgrade can be applied, we aware of the fact we need to upgrade, please do not draw further attention to the fact.
I am sure when he gets a chance he will upgrade our copy, for those of you who are intending on finding the exploit and using it, may I remind you that by doing so would likely be a breach of the terms and services for this site.
I hope not to see any further foolishness by any of our members until such time as an upgrade can be applied, we aware of the fact we need to upgrade, please do not draw further attention to the fact.
Who is online
Users browsing this forum: No registered users and 56 guests