Security Vulnerability in all versions of phpBB

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
Computer Guru
Registered User
Posts: 4
Joined: Thu May 18, 2006 9:36 pm
Location: Palestine
Contact:

Security Vulnerability in all versions of phpBB

Post by Computer Guru »

Our researchers at NeoSmart Technologies have found a security vulnerability in all versions of phpBB to date, it has a rated threat level of 6/10.

This is a hole that allows normal users access to privilleged content under many circumstances. You can view the abstract as well as download the complete security bulletin at our temporary website at http://www.neosmart.net/forums/index.php?gettopic=26" target="_blank

Regards,
Computer Guru
NeoSmart Technologies
CEO

SamG
Registered User
Posts: 1241
Joined: Fri Aug 31, 2001 6:35 pm

Re: Security Vulnerability in all versions of phpBB

Post by SamG »

sigh…

Computer Guru
Registered User
Posts: 4
Joined: Thu May 18, 2006 9:36 pm
Location: Palestine
Contact:

Re: Security Vulnerability in all versions of phpBB

Post by Computer Guru »

Before you ask, I posted it here since I figured that's where all the devs are... was that incorrect?

SamG
Registered User
Posts: 1241
Joined: Fri Aug 31, 2001 6:35 pm

Re: Security Vulnerability in all versions of phpBB

Post by SamG »

The phpBB.com Security Tracker is the place of choice for security issues. While the issue is in fact contested, many people in computerdom object to premature public exposure of security issues, and phpBB has been significantly disadvantaged by premature exposure in the past.
Last edited by SamG on Thu May 18, 2006 9:56 pm, edited 1 time in total.

Computer Guru
Registered User
Posts: 4
Joined: Thu May 18, 2006 9:36 pm
Location: Palestine
Contact:

Re: Security Vulnerability in all versions of phpBB

Post by Computer Guru »

Thank you SamG; this is my first visit to thet phpBB forums :)

Computer Guru
Registered User
Posts: 4
Joined: Thu May 18, 2006 9:36 pm
Location: Palestine
Contact:

Re: Security Vulnerability in all versions of phpBB

Post by Computer Guru »

Well, we're a non-profit security R&D company, with a bit of software development and support, I'm aware of the debate you're referencing, but I believe that bugs affect everyone and as such they should be made public.... but that debate is neither here nor there.

SamG
Registered User
Posts: 1241
Joined: Fri Aug 31, 2001 6:35 pm

Re: Security Vulnerability in all versions of phpBB

Post by SamG »

The debate is here in the sense that the phpBB developers have provided for first finder disclosure outside public forums, and the relevant policy is pretty easy to discover. They don't ask for absolute public nondisclosure, but they do ask for discrete disclosure.

I don't see why first finder and public interests trump developer interests on day zero, but what I see or don't see is indeed neither here nor there.

BondGamer
Registered User
Posts: 112
Joined: Mon Dec 15, 2003 8:20 pm
Contact:

Re: Security Vulnerability in all versions of phpBB

Post by BondGamer »

This is a joke right? I thought it would somehow involve someone getting access to private content. However, it just allows users to view a topic which was previously viewable. That isn't exactly as important as you made it out to be.

I would call this more of a bug than a security related issue. Where you got a rating of 6/10 is bewildering.

User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: Security Vulnerability in all versions of phpBB

Post by Acyd Burn »

BondGamer wrote: I thought it would somehow involve someone getting access to private content. However, it just allows users to view a topic which was previously viewable. That isn't exactly as important as you made it out to be.
Not even this (if it would allow viewing the topic it would be a serious issue). In 2.0.x you get a notification once, but it does not include any information about the topic (no text at all). This might be a tiny bug (inconvenience for a user because he/she is prompted by an access denied message after clicking the link) but IMO not an issue.

In Olympus the checks are done on each notification. If the user is no longer able to access the forum/topic or has been banned from the board the notification is not sent and the user automatically unsubscribed from the topic. If this does not happen it is a bug (but it can be seen from the code that it is meant to do it).

Regarding the disclosure... the vendor should be informed first. After the issue had been fixed it should be disclosed a few days after a new/fixed version came out to give the users a bit of time to update their installations.
If you release 0-day disclosure what do you get? Exactly, informing the users and those wanting to attack the users. Now, the attackers will be happy, they have something to play with. But what about the users? Some may search for a fix (which they do not find because the vendor does not know about the issue) - the only option they have is to wait for a new release. And this leaves them open to attacks, regardless of the circumstance if they know about it or not.

Image

Post Reply