Thijs Kinkhorst wrote:
> On Mon, 2006-05-15 at 08:31 +0200, Jeroen van Wolffelaar wrote:
> > On Wed, May 03, 2006 at 10:56:33AM +0200, Thijs Kinkhorst wrote:
> > > Thanks for the report. While I think that people who are admin can
> > > already do a lot of damage and should hence be considered trusted,
> > > executing php code is a step further in permissions and thus this can be
> > > considered a security issue. I will look into a fix soon.
> >
> > Patch (untested):
> >
> > --- phpBB2/viewtopic.php 2005-10-31 08:32:37.000000000 +0100
> > +++ phpBB2/viewtopic.php 2006-05-15 08:25:12.000000000 +0200
> > @@ -1105,6 +1105,12 @@
> > {
> > // This was shamelessly 'borrowed' from volker at
> > multiartstudio dot de
> > // via php.net's annotated manual
> > +
> > + // First, defuse fontcolor3, as it'd otherwise be arbitrary
> > code execution
> > + if (!eregi("^[0-9a-f]+$", $theme['fontcolor3'])) {
> > + $theme['fontcolor3'] = 'FFA34F';
> > + }
> > +
> > $message = str_replace('\"', '"',
> > substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
> > "@preg_replace('#\b(" . str_replace('\\', '\\\\',
> > addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" .
> > $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message .
> > '<'), 1, -1));
> > }
> >
>
> I've tested this patch on both testing and production boards, and it
> works, so it's now committed to the sarge branch. If the security team
> agrees that this warrants an advisory, we're all set for that,
Given that phpbb issues are frequently actively exploited, we should issue
an update for this.
> the only
> thing is that Jeroen needs to build some packages out of the current
> branch but I think he's quite capable of that :)
> Security team: please review the problem at hand and proposed patch. If
> ok, then Jeroen will supply you with updated packages a.s.a.p.
The patch looks fine, please go ahead.
> W.r.t. unstable, I will look into that very soon, we'll need to be
> upgrading to a new upstream aswell. I'll check whether that can be done
> in the short term, if not, I'll prepare a patched package.
Ok, thanks.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
