Joe Horn 的啟示錄

因為 FreeBSD 的 zh-phpbb-tw 這支 ports （ /usr/ports/chinese/phpbb-tw ） 的版本還在 2.0.21 ，而且根據 FreshPorts - VuXML 呈現的結果， 2.0.21 被標上「存有漏洞」。

維護人 chinsan 在 1 月初通知我，希望我能幫忙聯絡 竹貓 ，請他們釋出 2.0.22 中文版，以方便他進行維護工作。

我在 1/8 用 MSN 向小竹子提過，至今 竹貓 仍然無動於衷，而討論區僅有 這個討論串 有提到。

phpBB 2.0.22 新增了一行語言設定：

$lang["Session_invalid"] = "Invalid Session. Please resubmit the form.";

現在也還不確定 竹貓 的翻譯結果為何。

竹貓 的網站好像準備改版了，不過身為亞洲地區中文支援站，總該付點責任吧！？

另外，我覺得 phpBB 在多語支援的作法上還有改進的空間。
比較好的作法應該是在釋出新版前，通知各語言檔的翻譯團隊，請他們翻譯好之後送回官方，將各語言包在一起再釋出。

Technorati Tags: phpBB, translation

主要修正有這些 :

• Added extra checks to the deletion code in privmsg.php - reported by party_fan
• Fixed XSS issue in IE using the url BBCode
• Fixed admin activation so that you must have administrator rights to activate accounts in this mode - reported by ieure
• Fixed get_username returning wrong row for usernames beginning with numerics - reported by Ptirhiik
• Pass username through phpbb_clean_username within validate_username function - AnthraX101
• Fixed PHP error in message_die function
• Fixed incorrect generation of {postrow.SEARCH_IMG} tag in viewtopic.php - reported by Double_J
• Also fixed above issue in usercp_viewprofile.php
• Fixed incorrect setting of user_level on pending members if a group is granted moderator rights - reported by halochat
• Fixed ordering of forums on admin_ug_auth.php to be consistant with other pages
• Correctly set username on posts when deleting a user from the admin panel

官方公告 在此.
竹貓星球 也已經發出 這篇公告 囉!

Technorati Tags: phpBB

2.0.16 有安全性修正 , 而且在最常被存取的 viewtopic.php :

$message = str_replace(""", """, substr(@preg_replace("#(\>(((?>([^>< ]+|(?R)))*)\<))#se", "@preg_replace("#\b(" . str_replace("", "", $highlight_match) . ")\b#i", "<span style="color:#" . $theme["fontcolor3"] . ""><b>\1</b>", "\0")", ">" . $message . "< "), 1, -1));

改為

$message = str_replace(""", """, substr(@preg_replace("#(\>(((?>([^>< ]+|(?R)))*)\<))#se", "@preg_replace("#\b(" . str_replace("", "", addslashes($highlight_match)) . ")\b#i", "<span style="color:#" . $theme["fontcolor3"] . ""><b>\1</b>", "\0")", ">" . $message . "< "), 1, -1));

更新範圍列表如下 :

• Fixed critical issue with highlighting - Discovered and fix provided by Ron van Daal
• Url descriptions able to be wrapped over more than one line again
• Fixed bug with eAccelerator in admin_ug_auth.php
• Check new_forum_id for existence in modcp.php - alessnet
• Prevent uploading avatars with no dimensions - Xpert
• Fixed bug in usercp_register.php, forcing avatar file removal without updating avatar informations within the database - HenkPoley
• Fixed bug in admin re-authentication redirect for servers not having index.php as one of their default files set

官方公告 在此 .
竹貓星球 也發出了 這篇公告 .

Technorati Tags: phpBB

前陣子在 Weblog Tools Collection 出現 這篇 .

如果是從以前就有在看我這個 Blog 的人, 應該也都看過 phpBB 的版本更新訊息.

在各種論壇系統裡面, phpBB 的效能算是很好的一套, 而且在全世界站台中, 使用的比率又很高. 於是, phpBB 便成了許多攻擊者的頭號目標 ( 樹大招風!? ) .

當然, 還是老話.
世界上沒有絕對安全的系統, 只有絕對勤勞的系統管理/維護人員.
( 不過可能已經有不少人因為這個因素而跳槽使用別的系統了. )

Technorati Tags: phpBB

先貼 2.0.13 跟 2.0.14 的變動 :

• Hardened author and keyword search a bit to not allow very server intensive searches
• Fixed full path disclosure in bad word parsing
• Resetting complete userdata array in session code if authentication fails
• Fixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error
• Fixed bug in session code where empty page ids could lead to an "error creating new session" sql error
• Fixed html handling in signatures if html is turned off globally
• Fixed install.php problem with PHP5 register_long_arrays option turned off
• Fixed potential issues with styling system
• Added correct class to login_body template file
• Removed file db/oracle.php from package
• Removed version number from message body page in /admin (if user is not an admin) - mikelbeck
• Fixed case-sensitivity issues in postgres7.php - R45

2.0.15 修正了安全性問題, includes/bbcode.php 的這段 :

{
   global $lang, $bbcode_tpl;

下面加進這行 :

$text = preg_replace("#(script|about|applet|activex|chrome):#is", "\1:", $text);

另外是這段 :

 */
function make_clickable($text)
{

下面加進這行 :

$text = preg_replace("#(script|about|applet|activex|chrome):#is", "\1:", $text);

所以總共有這些變動 :

• Fixed moderator status removal in groupcp.php
• Removed newlines after ?> on some files - Thoul
• Added admin re-authentication (admin needs to login seperatly to access the ACP) - backported from Olympus
• Fixed vulnerability in url/bbcode handling functions - PapaDos and Paul/Zhen-Xjell from CastleCops
• Fixed issue in admin/admin_forums.php
• Suppressed warning message for fsockopen in /includes/smtp.php - Thoul
• Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) - Exy
• Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)
• Updated the readme file
• Added one new language variable
• Added general error if accessing profile for a non-existent user
• Changed session id generation to be more unique - Henno Joosep
• Fixed bug in highlight code to escape characters correctly
• Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
• Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
• Fixed bypassing of validate_username on registration - Yen
• Empty url/img bbcodes no longer get parsed

竹貓星球 也有這兩篇公告 :
[2005/04/25] phpBB 2.0.14 安全性修正版(包含更新檔)
[2005/05/08] phpBB 2.0.15 安全性修正版本

Technorati Tags: phpBB

主要修正 2.0.12 的兩個錯誤, 引用自 官方公告 :

• includes/sessions.php 修正 :

  if( $sessiondata["autologinid"] == $auto_login_key )

  改為

  if( $sessiondata["autologinid"] === $auto_login_key )

• viewtopic.php 修正 :

  $message = str_replace(""", """, substr(preg_replace("#(\>(((?>([^>< ]+|(?R)))*)\<))#se", "preg_replace("#\b(" . $highlight_match . ")\b#i", "<span style="color:#" . $theme["fontcolor3"] . ""><b>\1</b>", "\0")", ">" . $message . "< "), 1, -1));

  改為

  $message = str_replace(""", """, substr(@preg_replace("#(\>(((?>([^>< ]+|(?R)))*)\<))#se", "@preg_replace("#\b(" . $highlight_match . ")\b#i", "<span style="color:#" . $theme["fontcolor3"] . ""><b>\1</b>", "\0")", ">" . $message . "< "), 1, -1));

另外也可以參閱 竹貓星球 的 [公告] phpBB 2.0.13 正式釋出(安全性更新) .

Technorati Tags: phpBB

2.0.12 主要修正了 2.0.11 的安全性問題, 包括 SQL injection .
( phpBB 怎麼好像還是沒完全跳脫這個地雷呀?! )

2.0.12 跟 2.0.11 的變動如下 ( 引用自 phpBB 官方公告 ) :

• Added confirm table to admin_db_utilities.php
• Prevented full path display on critical messages
• Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
• Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
• Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
• Fixed arbitrary file unlink vulnerability in avatar handling functions -AnthraX101
• Removed version number from powered by line
• Merged database update files to update_to_latest.php file
• Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101"s discovery)
• Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer

不過官方丟到 SourceForge 上的檔案好像都是壞的, 竹貓星球 則是貼出了他們自己的 mirror (引用自 [公告] phpBB 2.0.12 正式釋出(安全性更新) ) :

• phpBB 2.0.12 完整下載：適合完整安裝！
• phpBB 2.0.12 升級下載：適合各個版本升級安裝！
• phpBB 2.0.12 修正下載：適合版本升級修正安裝！

另外, 竹貓星球 還釋出 phpBB 2.0.12 的 繁體中文語系檔 .

Technorati Tags: phpBB