UBB.threads PHP Forum Software Community Forums News and Releases Announcements Security Fix for all versions

In versions 6.0.3 and prior there is a problem with 2 variables that can be manipulated and call an external url. This can be fixed with the following change to ubbt.inc.php. Place this at the top of ubbt.inc.php right after the block of comments:

[Code snippet removed by Ted for security reasons]. Version 6.1 has the code included.


-------------------
Rick Baker
UBBThreads developer

[This message was edited by Rick Baker on September 20, 2002 at 04:32 PM.]

[This message was edited by Ted O'Neill on September 27, 2002 at 03:01 PM.]

Alao note that this fix will be included in Version 6.1, which will be officially released on Monday.

Ted O'Neill
CEO, Infopop Corporation

Thanks

Nettomo

###########################################
### Chef of Nettomo's Board ### Mod. of ObiWan's Board ###
###########################################

Hi Ted O'Neill ,
is the Fix in the UBBT 6.1.0 ?

I dounload UBBT Version 6.1.0 of Members Area ,
in the ubbt.inc.php is not Code of Rick Baker :

code snipper removed...

Martin post of German Forum :

code snippet removed


Nettomo

###########################################
### Chef of Nettomo's Board ### Mod. of ObiWan's Board ###
###########################################

[This message was edited by Ted O'Neill on September 27, 2002 at 03:01 PM.]

THe fix is in there, it just looks a bit different:

code snippet removed

-------------------
Rick Baker
UBBThreads developer

[This message was edited by Ted O'Neill on September 27, 2002 at 03:01 PM.]

If I was on a shared server, there could be a risk of someone setting an environment variable to set $thispath and configdir, so wouldn't it be worth checking $HTTP_ENV_VARS and $HTTP_SERVER_VARS too?

From what I understand $HTTP_ENV_VARS and $HTTP_SERVER_VARS aren't automatically registered in the global namespace. These need to be referenced directly within their array so these are safe.

-------------------
Rick Baker
UBBThreads developer

Gentlemen,
Would it not be wiser to email registered license holders - past and present - with information of this nature rather than exposing it publically for anyone to see and perhaps exploit?

I have to agree. I wouldn't have known unless I came by. Better communication would be good.

Add to this, we have to have version numbers flashed along the bottom of every page of our boards, as well as references to where the board is from. All someone has to do is go to Google, search for ubb.threads and the version numbers will give a signpost to people who want to cause trouble. Rather poor.

In config.inc.php you could change

$VERSION = "6.1";

to

$VERSION = "";

to hide the version number.

I think if you are pre infopop you can remove all the links that identify the script.

Might as well make the trouble makers work as hard as you can.

ghubbell- I agree with you on this. I think Rick was simply trying to make sure he got the word out quickly here so admins could update their code prior to the release of version 6.1. In general, it is not our policy (at Infopop) to post such details, for just the reasons you cited.

I've removed the code snippets here.


Ted O'Neill
CEO, Infopop Corporation

Thanks Rick, Ted and Nettomo. With the astounding popularity of the threads package I think every admin appreciates the efforts you have all made and I feel I can say with most certainty that 'we' admins understand the intent was good and that 'the fix' will be installed immediately. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />

A tip for those that don't regularly visit/read or keep up with the Infopop community forums.

This forum is where all official announcements of upgrades and security issues are posted.

If you are looking at the list of posts here (not a specific thread)... and scroll all the way to the bottom and click "Pop It" a little window will come up.

That lets you "subscribe" to this forum (not all forums here...this specific 'News' forum). In that box you can choose to receive a daily/weekly/immediate email of new posts here.

That's really the best way, if you don't visit regularly, to make sure you remain instantly aware of any new releases or important upgrades.

Josh
Measurection.com Admin
ThreadsDev.com Moderator
See my How To/Site Help Library Foum at ThreadsDev.
"Happiness comes through doors you didn't even know you left open. "

Good Suggestion Josh <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

<img src="http://www.ubbdesign.com/sigfile.gif" alt=" - " />
UBB â„¢ & UBBT â„¢

I just got the monthly newsletter which talks about the security hole that this thread is discussing (I think...too hacked up to know for sure).

The newsletter tells how to fix the problem by modifying ubbt.inc.php but it does not tell what file to modify if you are using an older version (i.e. pre-Infopop). Any advice?

Bill Dimm, SaveTheFreeWeb.com

Off the top of my head I think that in old old versions it would have been wwwthreads.inc.php or main.inc.php.

Honor The Victims