Page 1 of 1
Please update your phpBB
Posted: Thu Mar 17, 2005 5:45 pm
by Chris
There is a serious exploit in all phpBB versions 2.0.11 and under. You NEED to upgrade, you can see that by how the title has been changed.
NOTE: i dont intend to harm your forum, i did that for EXAMPLE ONLY, but there are others who might want to exploit your terrably outdated phpBB, you have been warned.
PS Great forum.
PPS: cmputerman (techhut) did not have ANYTHING to do with this.
Posted: Fri Mar 18, 2005 3:52 pm
by ChrisKraus
How'd you do that?
- Chris
Posted: Fri Mar 18, 2005 4:13 pm
by cmputerman
ChrisKraus wrote:How'd you do that?
- Chris
He used an exploit that was fixed in phpbb version 2.0.13
All I know is that there is an additional "=" you need to put in, or you can edit a cookie with a string that works with the hack, wan walla instant Admin access.
Posted: Sun Mar 20, 2005 5:35 pm
by Chris-
phpBB sets a cookie when you login, i can alter the cookie to be able to login as anyone by the user id.
Yes, the exploit is fixed just by adding an = in the right spot.
Posted: Sun Mar 20, 2005 6:05 pm
by Guest
I don't think it is updated yet
That or the version number will not change...
Posted: Sun Mar 20, 2005 6:07 pm
by Guest
Guess who? It is me! Cmputerman! Teehee wrote:I don't think it is updated yet
That or the version number will not change...
That was me....
Posted: Mon Mar 21, 2005 3:45 pm
by ChrisKraus
Chris- wrote:phpBB sets a cookie when you login, i can alter the cookie to be able to login as anyone by the user id.
Yes, the exploit is fixed just by adding an = in the right spot.
<HR>
How?
Posted: Mon Mar 21, 2005 4:48 pm
by cmputer_man
ChrisKraus wrote:Chris- wrote:phpBB sets a cookie when you login, i can alter the cookie to be able to login as anyone by the user id.
Yes, the exploit is fixed just by adding an = in the right spot.
<HR>
How?
Well, IDK exactly where, but Chris might... But it puts that = sign back in with the 2.0.13 update.
Posted: Tue Mar 22, 2005 4:23 pm
by Chris
The best route for the admin to do, update using the phpBB changed files only package, as i can see this forum hasnt been modded.
For those who really wanna know, here is how to fix the exploit i used:
in sessions.php:
Code: Select all
// We have to login automagically
if( $sessiondata['autologinid'] == $auto_login_key )
{
// autologinid matches password
$login = 1;
$enable_autologin = 1;
}
it should be
Code: Select all
// We have to login automagically
if( $sessiondata['autologinid'] === $auto_login_key )
{
// autologinid matches password
$login = 1;
$enable_autologin = 1;
}
Now that only fixes one exploit, theres another in viewtopic.php i believe.
About the new Title for the forum...
Posted: Wed Mar 23, 2005 9:25 pm
by FormicaFun
I'm really glad that you were so bored and figured out a way to hack your way into the forum....and it's shocking that there's such loose security on a forum that discusses freeware. I don't think I've slept in a over a hour in worry that someone may hack back into the forum and change the title back to what it was. After all, "Please update your phpBB" is such an appropriate title for the "Dale Harris Educational Software Forum". After all, it's been how long now? You've proven your point...and we're all so jealous over how cool you are.
So...if it's not TOO MUCH TROUBLE could we find it in our little hearts to effect a change back to where we once were? I'd really appreciate it.
-Ryan :-)
Re: About the new Title for the forum...
Posted: Wed Mar 30, 2005 1:45 pm
by Chris
FormicaFun wrote:I'm really glad that you were so bored and figured out a way to hack your way into the forum....and it's shocking that there's such loose security on a forum that discusses freeware. I don't think I've slept in a over a hour in worry that someone may hack back into the forum and change the title back to what it was. After all, "Please update your phpBB" is such an appropriate title for the "Dale Harris Educational Software Forum". After all, it's been how long now? You've proven your point...and we're all so jealous over how cool you are.
So...if it's not TOO MUCH TROUBLE could we find it in our little hearts to effect a change back to where we once were? I'd really appreciate it.
-Ryan :-)
i would of thought an admin would be on by now and do something, anyway, as soon as i can get a cookie, ill change it back
Posted: Thu Mar 31, 2005 8:48 am
by Andrew
The only person who can make such an upgrade is the owner of the site, Jonathan. Last Dale and I were aware he is holding down several jobs and as such hasn't been able to make it to the forum or Chat.
I am sure when he gets a chance he will upgrade our copy, for those of you who are intending on finding the exploit and using it, may I remind you that by doing so would likely be a breach of the terms and services for this site.
I hope not to see any further foolishness by any of our members until such time as an upgrade can be applied, we aware of the fact we need to upgrade, please do not draw further attention to the fact.