miniBB ®  
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual | miniBB Mobile
News & Announcements miniBB Support Forums / News & Announcements /   

Security Vulnerability... yet another sad story with register_globals set to ON in php.ini
Author Paul
CEO
#1 | Posted: 27 Oct 2006 14:51 
Recently discovered vulnerability, again, is related to the hosting servers, which have register_globals setting turned ON in php.ini. Despite I agree it's our fault this error appeared in the latest release, most importantly it means you have a very insecure hosting, when having turned this on.

Read more info on PHP site:

http://php.net/manual/en/security.registerglobals.php

Issue to solve is top paste at the very top of each of these files:

bb_func_forums.php
bb_func_txt.php
bb_functions.php

the following line:

if (!defined('INCLUDED776')) die ('Fatal error.');

these files are updated in the freshly issued updated package.

Everybody still is recommended to do this short upgrade.
Author Moony
Registered
#2 | Posted: 6 Nov 2006 13:07 
It is possible to write in .htaccess: php_flag register_globals off
Does it help?
Author Paul
CEO
#3 | Posted: 6 Nov 2006 16:19 
It may help only on servers where it's allowed...
Author krko
Registered
#4 | Posted: 16 Nov 2006 16:31 
It breaks the RSS feed plugin.

Goran
Author Paul
CEO
#5 | Posted: 17 Nov 2006 02:50 
krko
Download the latest version of RSS addon from Downloads section. It has been updated already to be compliant with the latest miniBB release. Also as 1st page news addon has been updated, too.

Actually this line of code should appear in any addon using mentioned updated scripts:

define ('INCLUDED776',1);
Author Monk
Registered
#6 | Posted: 17 Nov 2006 06:37 
Krko

Do you have the latest setup_mysql.php file in your forum folder?

My RSS feed was also broken until I included just that file itself along with the other one (setup_[insert the name of your database here].php).
Author krko
Registered
#7 | Posted: 17 Nov 2006 10:41 
Actually this line of code should appear in any addon using mentioned updated scripts:

define ('INCLUDED776',1);

Where should it be? At the very top?

What about file upload and private messaging plugin? Do they need to be updated?
Author Paul
CEO
#8 | Posted: 17 Nov 2006 16:38 
At the very top? - yes.

Addons do not contain this hole, they all are already secured... thus remember - they are not publically distributed.
Author Karel II
Registered
#9 | Posted: 20 Nov 2006 02:52 | Edited by: Karel II 
A friend of mine sent me this link today -

http://www.securityfocus.com/bid/20757/info

is it about the same security issue (already solved by adding the line you mention)?

Karel
Author Paul
CEO
#10 | Posted: 20 Nov 2006 13:31 
Karel II
This is bogus, about 5-10 lines above it includes a file which declares $pathToFiles.

include ('./setup_options.php');
News & Announcements miniBB Support Forums / News & Announcements / Security Vulnerability... yet another sad story with register_globals set to ON in php.ini Top
Your Reply Click this icon to move up to the quoted message
 Short link for this topic:

 ?
You are welcome to post anonymously, by entering a nickname with no password (if the similar Username has not been taken yet), or by leaving both fields empty. If you have a forums account, you can also sign in from this page without posting a message, or sign in and post at once.

Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.

 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
  Allow your miniBB-forums members communicate with each other
with the Private Messaging add-on!		Private Messaging addon for miniBB