miniBB

^®
Support Forums

| Start | Register | Search | Statistics | File Bank | Manual |

	miniBB Support Forums / News /
	Security Vulnerability... yet another sad story with register_globals set to ON in php.ini

	Paul Lead Developer	#1 \| Posted: 27 Oct 2006 14:51
		Recently discovered vulnerability, again, is related to the hosting servers, which have register_globals setting turned ON in php.ini. Despite I agree it's our fault this error appeared in the latest release, most importantly it means you have a very insecure hosting, when having turned this on. Read more info on PHP site: http://php.net/manual/en/security.registerglobals.php Issue to solve is top paste at the very top of each of these files: bb_func_forums.php bb_func_txt.php bb_functions.php the following line: if (!defined('INCLUDED776')) die ('Fatal error.'); these files are updated in the freshly issued updated package. Everybody still is recommended to do this short upgrade.

	Moony Partaker	#2 \| Posted: 6 Nov 2006 13:07
		It is possible to write in .htaccess: php_flag register_globals off Does it help?

	Paul Lead Developer	#3 \| Posted: 6 Nov 2006 16:19
		It may help only on servers where it's allowed...

	krko Partaker	#4 \| Posted: 16 Nov 2006 16:31
		It breaks the RSS feed plugin. Goran

	Paul Lead Developer	#5 \| Posted: 17 Nov 2006 02:50
		krko Download the latest version of RSS addon from Downloads section. It has been updated already to be compliant with the latest miniBB release. Also as 1st page news addon has been updated, too. Actually this line of code should appear in any addon using mentioned updated scripts: define ('INCLUDED776',1);

	Monk Partaker	#6 \| Posted: 17 Nov 2006 06:37
		Krko Do you have the latest setup_mysql.php file in your forum folder? My RSS feed was also broken until I included just that file itself along with the other one (setup_[insert the name of your database here].php).

	krko Partaker	#7 \| Posted: 17 Nov 2006 10:41
		Actually this line of code should appear in any addon using mentioned updated scripts: define ('INCLUDED776',1); Where should it be? At the very top? What about file upload and private messaging plugin? Do they need to be updated?

	Paul Lead Developer	#8 \| Posted: 17 Nov 2006 16:38
		At the very top? - yes. Addons do not contain this hole, they all are already secured... thus remember - they are not publically distributed.

	Karel II Partaker	#9 \| Posted: 20 Nov 2006 02:52
		A friend of mine sent me this link today - http://www.securityfocus.com/bid/20757/info is it about the same security issue (already solved by adding the line you mention)? Karel

	Paul Lead Developer	#10 \| Posted: 20 Nov 2006 13:31
		Karel II This is bogus, about 5-10 lines above it includes a file which declares $pathToFiles. include ('./setup_options.php');

	miniBB Support Forums / News /
	Security Vulnerability... yet another sad story with register_globals set to ON in php.ini Share Topic's Link

This topic is closed. New replies are not allowed.


	Home Features Requirements Demo Download Showcase Gallery of Arts Compiler Premium Extensions Premium Support License Contact Us

Check out the Private Messaging add-on: allow your miniBB-forums members to communicate with each other.

⇑