Patch für 2.0.5

News zu phpBB.de und phpBB
Bitte dieses Forum immer lesen.
Antworten
Benutzeravatar
itst
Ehrenadmin
Beiträge: 7418
Registriert: 21.08.2001 02:00
Wohnort: Büttelborn bei Darmstadt
Kontaktdaten:
Kontaktdaten von itst

Patch für 2.0.5

Beitrag von itst »

We've been informed that a possible SQL injection vulnerability has been released to various lists and sites. The issue is unlikely to affect many users given the requirements that surround it.

Öffne viewtopic.php und suche:

Code: Alles auswählen

if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) ) 
{ 
      $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]); 
} 
else if ( isset($HTTP_GET_VARS['topic']) ) 
{ 
      $topic_id = intval($HTTP_GET_VARS['topic']); 
}
füge davor ein:

Code: Alles auswählen

$topic_id = $post_id = 0;
Suche etwas weiter unten:

Code: Alles auswählen

$join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 "; 
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id"; 
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts"; 

$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
Und ersetze das durch:

Code: Alles auswählen

$join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 "; 
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id"; 
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts"; 

$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
I would like to add that (as now typical ...) we were given practically no time to fix this issue before it appeared on the web.
Sascha A. Carlin,
phpBB.de Ehrenadministrator :o
Nach oben
Benutzeravatar
itst
Ehrenadmin
Beiträge: 7418
Registriert: 21.08.2001 02:00
Wohnort: Büttelborn bei Darmstadt
Kontaktdaten:
Kontaktdaten von itst

Beitrag von itst »

[ externes Bild ] Kommentare zu dieser Ankündigung sind im Diskussionsthema willkommen.
Nach oben
Antworten

Zurück zu „Ankündigungen und Neuigkeiten“