miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Search | Statistics | Manual |
News & Announcements miniBB Support Forums / News & Announcements /   

Security Vulnerability... yet another sad story with register_globals set to ON in php.ini

Author Paul
Lead Developer
#1 | Posted: 27 Oct 2006 14:51 
Recently discovered vulnerability, again, is related to the hosting servers, which have register_globals setting turned ON in php.ini. Despite I agree it's our fault this error appeared in the latest release, most importantly it means you have a very insecure hosting, when having turned this on.

Read more info on PHP site:

http://php.net/manual/en/security.registerglobals.php

Issue to solve is top paste at the very top of each of these files:

bb_func_forums.php
bb_func_txt.php
bb_functions.php

the following line:

if (!defined('INCLUDED776')) die ('Fatal error.');

these files are updated in the freshly issued updated package.

Everybody still is recommended to do this short upgrade.

Author Moony
Registered
#2 | Posted: 6 Nov 2006 13:07 
It is possible to write in .htaccess: php_flag register_globals off
Does it help?

Author Paul
Lead Developer
#3 | Posted: 6 Nov 2006 16:19 
It may help only on servers where it's allowed...

Author krko
Registered
#4 | Posted: 16 Nov 2006 16:31 
It breaks the RSS feed plugin.

Goran

Author Paul
Lead Developer
#5 | Posted: 17 Nov 2006 02:50 
krko
Download the latest version of RSS addon from Downloads section. It has been updated already to be compliant with the latest miniBB release. Also as 1st page news addon has been updated, too.

Actually this line of code should appear in any addon using mentioned updated scripts:

define ('INCLUDED776',1);

Author Monk
Registered
#6 | Posted: 17 Nov 2006 06:37 
Krko

Do you have the latest setup_mysql.php file in your forum folder?

My RSS feed was also broken until I included just that file itself along with the other one (setup_[insert the name of your database here].php).

Author krko
Registered
#7 | Posted: 17 Nov 2006 10:41 
Actually this line of code should appear in any addon using mentioned updated scripts:

define ('INCLUDED776',1);


Where should it be? At the very top?

What about file upload and private messaging plugin? Do they need to be updated?

Author Paul
Lead Developer
#8 | Posted: 17 Nov 2006 16:38 
At the very top? - yes.

Addons do not contain this hole, they all are already secured... thus remember - they are not publically distributed.

Author Karel II
Registered
#9 | Posted: 20 Nov 2006 02:52 | Edited by: Karel II 
A friend of mine sent me this link today -

http://www.securityfocus.com/bid/20757/info

is it about the same security issue (already solved by adding the line you mention)?

Karel

Author Paul
Lead Developer
#10 | Posted: 20 Nov 2006 13:31 
Karel II
This is bogus, about 5-10 lines above it includes a file which declares $pathToFiles.

include ('./setup_options.php');

News & Announcements miniBB Support Forums / News & Announcements / Security Vulnerability... yet another sad story with register_globals set to ON in php.ini Top
This topic is closed. New replies are not allowed.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB