dingfelder
Dec 22 2004, 12:12 AM
Important Notice:
Anyone using an old version of phpBB needs to upgrade asap!
QUOTE
This is a reminder to all users to upgrade as soon as possible to 2.0.11. Remember, the issue leading to this release was extremely serious. It gave rise to the possibility for persons to "install" scripts, delete files and otherwise access your system. If you have upgraded, be sure to check your account/system for suspicious files, etc. If you have any concerns please raise them in the support forum here at phpbb.com.
http://www.phpbb.com/phpBB/viewtopic.php?t...8ffba77211df07dhot to patch from 4.3.10
http://www.phpbb.com/phpBB/viewtopic.php?t=240513
Hexatomb
Jan 4 2005, 01:53 AM
Will this be done for us if we request it? Or will I have to try to upgrade myself?
And, how can I request the update?
dingfelder
Jan 4 2005, 02:11 AM
There really should be an official reply because one acount that uses the old version opens up their entire server to security issues with this bug...
I personally fixed the 5 domains that I had which needed upgrading...
I dont think there is any "quick" or easy think hostony can do, other than make sure that the default bulletin boards that get installed through fantastico are up to date last time I looked, they were not.
best recommendion I can make is:
Back up your website frequently so that when we get hacked, you can get your stuff up and running quickly again.
I say "when" rather than "if" because there are some pretty easy to do (and widely documented) exploits that will allow hackers to to "install" scripts, delete files and otherwise access your entire filesystem, from this phpBB security issue. This would allow them to hack one user's non-upgraded system, then run php scripts in another user's area.
JasonJones
Jan 4 2005, 04:16 AM
Here here... I think that a proactive search of the filesystem for the vunerable versions of phpbb would be wise, and then adding a .htaccess to deny access to the forums dir until its fixed, and add a redirect to a page asking them to contact support or upgrade... It would be easy to write a quick and dirty script to do this, and would only take a a min or two to run on each server. When the offending domain is upgraded if they cant figure out how to fix the .htaccess, they can contact support, and if they contact support, then they will know how. Good thing is just set this up on a Cron, run it every few hours until it doesnt find anymore versions that are vunerable.
I dont feel happy knowing some Dolt on my server might cause the server to go down, or force me to upload over a gig of data again...
Jason