Re: ik wil mijn rekeningen graag op het goede adres ontvangen ma
Geplaatst: 02 jan 2004 03:12
door Gast
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.
This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.
Time for a fairly major rant ...
Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.
Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.
Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.
Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.
Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).
To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.
We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.
Thanks