phpBB released another update for their forums software, newest version is now 2.0.12. If you are running 2.0.11 the update is actually very straight forward, save yourself a lot of grief and be sure to edit the update_to_latest.php to reflect the location to your forum’s root directory. Took me over an hour to figure out what I hosed up, when the update script ran and blew up, ended up restoring the files I’d just backed up files only to find that some mods were broken rendering the board dead…. grrrr.. restored from an older backup… that was a bad idea, my backup script missed some key directories. While re-hacking the files to get things working again I remembered the update script error…… changed the path and presto MySQL was patched up, brought my backed .12 hacked files and most everything was back to normal… missed to recently added hacks. A few hours wasted over a stupid mistake, again.
The kicker is I’d missed the same thing back when 2.0.11 was released, think it took me a quite a while to figure it out then too. Our board is so heavily hacked, it’s beyond recognition of the update scripts, so everything has to be done by hand diff’ing each file and sorting out the new code from the old. A lot of these head pounding sessions could probably be eliminated if I were to update things via FTP (I assume most do it that way) instead of hacking on the live files through a shell and pico….. Nah, that’d be too easy.
Aside from the bug patches the version number was removed from the footers, after the recent santy worms this comes as little surprise.
None the less here are the details of the fixes;
- Added confirm table to admin_db_utilities.php
- Prevented full path display on critical messages
- Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug – AnthraX101
- Added exclude list to unsetting globals (if register_globals is on) – SpoofedExistence
- Fixed arbitrary file disclosure vulnerability in avatar handling functions – AnthraX101
- Fixed arbitrary file unlink vulnerability in avatar handling functions -AnthraX101
- Removed version number from powered by line
- Merged database update files to update_to_latest.php file
- Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101’s discovery)
- Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug – matrix_killer